From: Herbert Xu on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_438039159 On Tue, Oct 20, 2020 at 02:50:15PM +0200, Ondrej Mosnacek wrote: > > Looking at the current state of SM* configs in ARK, there seems to be > some disconnect: > > ark/generic/CONFIG_CRYPTO_SM3:# CONFIG_CRYPTO_SM3 is not set > ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE:CONFIG_CRYPTO_SM3_ARM64_CE=m > ark/generic/CONFIG_CRYPTO_SM4:# CONFIG_CRYPTO_SM4 is not set > ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE:CONFIG_CRYPTO_SM4_ARM64_CE=m > ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE:# > CONFIG_CRYPTO_SM3_ARM64_CE is not set > ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4:CONFIG_CRYPTO_SM4=m > > Why is CONFIG_CRYPTO_SM4 enabled only on aarch64? Why is > CONFIG_CRYPTO_SM3_ARM64_CE enabled, but CONFIG_CRYPTO_SM3 is not? > These should be consolidated. > > Herbert, what is your opinion? I guess we would like to have the > Chinese algorithms enabled on ARK/RHEL? It seems very likely that some > Chinese customers would want them. I agree, setting these options all to m would make sense. > I'd be inclined to recommend disabling this (and the 4 corresponding > configs - see [1]) in both Fedora and ARK. These somewhat obscure > algorithms have no in-kernel users and it is very unlikely that they > would be used from userspace (via dm-crypt/AF_ALG). Opinions? > > [1] https://lore.kernel.org/linux- crypto/20200911141103.14832-1-ardb@xxxxxxxxxx/ Yes we should do that. > > CONFIG_CRYPTO_USER_API_RNG_CAVP: > > > > This option enables extra API for CAVP testing via the user-space > > interface: resetting of DRBG entropy, and providing Additional Data. > > This should only be enabled for CAVP testing. You should say > > no unless you know what this is. > > > > Symbol: CRYPTO_USER_API_RNG_CAVP [=n] > > Type : bool > > Defined at crypto/Kconfig:1895 > > Prompt: Enable CAVP testing of DRBG > > Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] && CRYPTO_DRBG [=y] > > Location: > > -> Cryptographic API (CRYPTO [=y]) > > -> User-space interface for random number generator algorithms (CRYPTO_USER_API_RNG [=y]) > > I don't know if this would be useful for some certification on RHEL, > but probably can be left disabled. Yes indeed. Thanks, _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
