tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

crypto: jitter - don't limit ->health_failure check to FIPS mode

The jitterentropy's Repetition Count Test (RCT) as well as the Adaptive
Proportion Test (APT) are run unconditionally on any collected samples.
However, their result, i.e. ->health_failure, will only get checked if
fips_enabled is set, c.f. the jent_health_failure() wrapper.

I would argue that a RCT or APT failure indicates that something's
seriously off and that this should always be reported as an error,
independently of whether FIPS mode is enabled or not: it should be up to
callers whether or not and how to handle jitterentropy failures.

Make jent_health_failure() to unconditionally return ->health_failure,
independent of whether fips_enabled is set.

Note that fips_enabled isn't accessed from the jitterentropy code anymore
now. Remove the linux/fips.h include as well as the jent_fips_enabled()
wrapper.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Nicolai Stange and committed by
Herbert Xu b454fb70 8f797728

-11
-6
crypto/jitterentropy-kcapi.c
··· 40 40 #include <linux/kernel.h> 41 41 #include <linux/module.h> 42 42 #include <linux/slab.h> 43 - #include <linux/fips.h> 44 43 #include <linux/time.h> 45 44 #include <crypto/internal/rng.h> 46 45 ··· 57 58 void jent_zfree(void *ptr) 58 59 { 59 60 kfree_sensitive(ptr); 60 - } 61 - 62 - int jent_fips_enabled(void) 63 - { 64 - return fips_enabled; 65 61 } 66 62 67 63 void jent_panic(char *s)
-4
crypto/jitterentropy.c
··· 298 298 */ 299 299 static int jent_health_failure(struct rand_data *ec) 300 300 { 301 - /* Test is only enabled in FIPS mode */ 302 - if (!jent_fips_enabled()) 303 - return 0; 304 - 305 301 return ec->health_failure; 306 302 } 307 303
-1
crypto/jitterentropy.h
··· 2 2 3 3 extern void *jent_zalloc(unsigned int len); 4 4 extern void jent_zfree(void *ptr); 5 - extern int jent_fips_enabled(void); 6 5 extern void jent_panic(char *s); 7 6 extern void jent_memcpy(void *dest, const void *src, unsigned int n); 8 7 extern void jent_get_nstime(__u64 *out);