Hello, I've never written a patch before to the official kernel mailing list (that I remember) so please forgive me if I didn't send this in properly. I've generated this using git format-patch HEAD~ --stdout &> kconfig_fix_for_fips.patch and have attached the file in this email, gathering as much as I could from the Documentation/SubmittingPatches page. Few more things, in the help option for CRYPTO_ANSI_CPRNG, it says it must be enabled if FIPS is selected, but in the dependencies for FIPS, if DRBG is selected, then CRYPTO_ANSI_CPRNG doesn't need to be enabled. Which one is true? Secondly, in the help option for CRYPTO_DRBG_MENU, it says that one or more of the DRBG types must be selected. If this is indeed true, shouldn't the options within CRYPTO_DRBG_MENU be converted to choice/endchoice versus just booleans? One selection for CRYPTO_DRBG_HASH, another for CRYPTO_DRBG_CTR, and then a third option for both? Should I submit patches for these as well, feedback/thoughts? Thank you! Alec Ari
From 3f6b786edef09042ff78bc7b4d61fc5a8f8cf657 Mon Sep 17 00:00:00 2001 From: Alec Ari <neotheuser@xxxxxxxxx> Date: Wed, 14 Sep 2016 18:52:04 -0500 Subject: [PATCH] Fix Kconfig dependencies for FIPS Currently FIPS depends on MODULE_SIG, even if MODULES is disabled. This change allows the enabling of FIPS without support for modules. If module loading support is enabled, only then does FIPS require MODULE_SIG. Signed-off-by: Alec Ari <neotheuser@xxxxxxxxx> --- crypto/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/Kconfig b/crypto/Kconfig index 84d7148..fd28805 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -24,7 +24,7 @@ comment "Crypto core or helper" config CRYPTO_FIPS bool "FIPS 200 compliance" depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS - depends on MODULE_SIG + depends on (MODULE_SIG || !MODULES) help This options enables the fips boot option which is required if you want to system to operate in a FIPS 200 -- 2.7.3