On Fri, Jun 19, 2009 at 08:34:00PM +0800, Herbert Xu wrote:
> Hi Neil:
>
> Why does the CPRNG select FIPS? It should work with FIPS off
> too, no?
>
Thanks! Thats definately an oversight. Likely I included it because I was
implementing it as part of the FIPS effort. The CPRNG definately works fine,
even if fips is disabled. Although I think the relationship should be reversed,
not just removed, as FIPS support requires the use of the CPRNG. Something like
this:
commit d9645d88d97e81c6528f311ee126df79a0d27501
Author: Neil Horman <nhorman@xxxxxxxxxxxxx>
Date: Fri Jun 19 08:52:37 2009 -0400
Fix CPRNG/FIPS dependency
The ANSI CPRNG has no dependence on FIPS support. FIPS support however,
requires the use of the CPRNG. Adjust that depedency relationship in Kconfig
Signed-off-by: Neil Horman <nhorman@xxxxxxxxxxxxx>
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 4dfdd03..f2002d8 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -23,6 +23,7 @@ comment "Crypto core or helper"
config CRYPTO_FIPS
bool "FIPS 200 compliance"
+ select CRYPTO_ANSI_CPRNG
help
This options enables the fips boot option which is
required if you want to system to operate in a FIPS 200
@@ -782,7 +783,6 @@ config CRYPTO_ANSI_CPRNG
tristate "Pseudo Random Number Generation for Cryptographic modules"
select CRYPTO_AES
select CRYPTO_RNG
- select CRYPTO_FIPS
help
This option enables the generic pseudo random number generator
for cryptographic modules. Uses the Algorithm specified in
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
