Add FIPS 140-2 compliance information regarding mounting SMB shares. Signed-off-by: Enzo Matsumiya <ematsumiya@xxxxxxx> --- mount.cifs.rst | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/mount.cifs.rst b/mount.cifs.rst index 9d4446f035b6..4ca46976fee6 100644 --- a/mount.cifs.rst +++ b/mount.cifs.rst @@ -376,6 +376,10 @@ sec=arg may be enabled automatically. Packet signing may also be enabled automatically if it's enabled in */proc/fs/cifs/SecurityFlags*. + For environments that requires FIPS 140-2 compliance, only ``sec=krb5`` and + ``sec=krb5i`` are valid. See also ``vers``. See section `SECURITY`_ + for more information. + seal Request encryption at the SMB layer. The encryption algorithm used is AES-128-CCM. Requires SMB3 or above (see ``vers``). @@ -624,6 +628,9 @@ vers=arg kernels prior to v4.13, the default was ``1.0``. For kernels between v4.13 and v4.13.5 the default is ``3.0``. + For environments that requires FIPS 140-2 compliance, only version ``2.0`` or + or newer is allowed. See section `SECURITY`_ for more information. + --verbose Print additional debugging information for the mount. Note that this parameter must be specified before the ``-o`` . For example:: @@ -923,6 +930,29 @@ by default at mount time. Old dialects such as CIFS (SMB1, ie vers=1.0) have much weaker security. Use of CIFS (SMB1) can be disabled by modprobe cifs disable_legacy_dialects=y. +For environments that requires FIPS 140-2 compliance, the following applies: + +- SMB1 (``vers=1.0``) is not allowed +- SMB2 and newer are only allowed with ``sec=krb5`` or ``sec=krb5i`` security + modes + +This is because FIPS 140-2 does not approve MD4/MD5 hashing algorithms, which +are used either by SMB1 or the other security modes. + +When running a kernel in FIPS mode (i.e. with ``fips=1`` in boot command line), +the above will be enforced, and running ``mount.cifs`` might fail. +In the failing cases, the following error message (or similar, depending on the +security mode) will appear in the ring buffer: + + "CIFS VFS: could not allocate crypto hmacmd5" + +When not running a kernel in FIPS mode, the above serves only as informational +purpose as ``mount.cifs`` does not enforce any of that. + +References: +FIPS 140-2 Implementation Guide, G.6 +`https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf<https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf>`_ + **** BUGS **** -- 2.34.1
