crypto: fips - make proc files report fips module name and version

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

FIPS 140-3 introduced a requirement for the FIPS module to return
information about itself, specifically a name and a version. These
values must match the values reported on FIPS certificates.

This patch adds two files to read a name and a version from:

/proc/sys/crypto/fips_name
/proc/sys/crypto/fips_version

v2: removed redundant parentheses in config entries.
v3: move FIPS_MODULE_* defines to fips.c where they are used.
v4: return utsrelease.h inclusion

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Vladis Dronov and committed by

Herbert Xu 3 years ago 5a44749f 1353e576

+51 -5

2 changed files

expand all

crypto

Kconfig

fips.c

+21

crypto/Kconfig

··· 33 33 certification. You should say no unless you know what 34 34 this is. 35 35 36 + config CRYPTO_FIPS_NAME 37 + string "FIPS Module Name" 38 + default "Linux Kernel Cryptographic API" 39 + depends on CRYPTO_FIPS 40 + help 41 + This option sets the FIPS Module name reported by the Crypto API via 42 + the /proc/sys/crypto/fips_name file. 43 + 44 + config CRYPTO_FIPS_CUSTOM_VERSION 45 + bool "Use Custom FIPS Module Version" 46 + depends on CRYPTO_FIPS 47 + default n 48 + 49 + config CRYPTO_FIPS_VERSION 50 + string "FIPS Module Version" 51 + default "(none)" 52 + depends on CRYPTO_FIPS_CUSTOM_VERSION 53 + help 54 + This option provides the ability to override the FIPS Module Version. 55 + By default the KERNELRELEASE value is used. 56 + 36 57 config CRYPTO_ALGAPI 37 58 tristate 38 59 select CRYPTO_ALGAPI2

+30 -5

crypto/fips.c

··· 12 12 #include <linux/kernel.h> 13 13 #include <linux/sysctl.h> 14 14 #include <linux/notifier.h> 15 + #include <generated/utsrelease.h> 15 16 16 17 int fips_enabled; 17 18 EXPORT_SYMBOL_GPL(fips_enabled); ··· 31 30 32 31 __setup("fips=", fips_enable); 33 32 33 + #define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME 34 + #ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION 35 + #define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION 36 + #else 37 + #define FIPS_MODULE_VERSION UTS_RELEASE 38 + #endif 39 + 40 + static char fips_name[] = FIPS_MODULE_NAME; 41 + static char fips_version[] = FIPS_MODULE_VERSION; 42 + 34 43 static struct ctl_table crypto_sysctl_table[] = { 35 44 { 36 - .procname = "fips_enabled", 37 - .data = &fips_enabled, 38 - .maxlen = sizeof(int), 39 - .mode = 0444, 40 - .proc_handler = proc_dointvec 45 + .procname = "fips_enabled", 46 + .data = &fips_enabled, 47 + .maxlen = sizeof(int), 48 + .mode = 0444, 49 + .proc_handler = proc_dointvec 50 + }, 51 + { 52 + .procname = "fips_name", 53 + .data = &fips_name, 54 + .maxlen = 64, 55 + .mode = 0444, 56 + .proc_handler = proc_dostring 57 + }, 58 + { 59 + .procname = "fips_version", 60 + .data = &fips_version, 61 + .maxlen = 64, 62 + .mode = 0444, 63 + .proc_handler = proc_dostring 41 64 }, 42 65 {} 43 66 };