Re: CONFIG_FIPS without module loading support?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I've never written a patch before to the official kernel mailing list
(that I remember) so please forgive me if I didn't send this in
properly. I've generated this using git format-patch HEAD~ --stdout &>
kconfig_fix_for_fips.patch and have attached the file in this email,
gathering as much as I could from the Documentation/SubmittingPatches
page.

Few more things, in the help option for CRYPTO_ANSI_CPRNG, it says it
must be enabled if FIPS is selected, but in the dependencies for FIPS,
if DRBG is selected, then CRYPTO_ANSI_CPRNG doesn't need to be
enabled. Which one is true?

Secondly, in the help option for CRYPTO_DRBG_MENU, it says that one or
more of the DRBG types must be selected. If this is indeed true,
shouldn't the options within CRYPTO_DRBG_MENU be converted to
choice/endchoice versus just booleans? One selection for
CRYPTO_DRBG_HASH, another for CRYPTO_DRBG_CTR, and then a third option
for both? Should I submit patches for these as well,
feedback/thoughts?

Thank you!

Alec Ari
From 3f6b786edef09042ff78bc7b4d61fc5a8f8cf657 Mon Sep 17 00:00:00 2001
From: Alec Ari <neotheuser@xxxxxxxxx>
Date: Wed, 14 Sep 2016 18:52:04 -0500
Subject: [PATCH] Fix Kconfig dependencies for FIPS

Currently FIPS depends on MODULE_SIG, even if MODULES is disabled.
This change allows the enabling of FIPS without support for modules.

If module loading support is enabled, only then does
FIPS require MODULE_SIG.

Signed-off-by: Alec Ari <neotheuser@xxxxxxxxx>
---
 crypto/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 84d7148..fd28805 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -24,7 +24,7 @@ comment "Crypto core or helper"
 config CRYPTO_FIPS
 	bool "FIPS 200 compliance"
 	depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
-	depends on MODULE_SIG
+	depends on (MODULE_SIG || !MODULES)
 	help
 	  This options enables the fips boot option which is
 	  required if you want to system to operate in a FIPS 200
-- 
2.7.3


[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux