On Mon, Jan 10, 2022 at 02:41:33PM -0500, Simo Sorce wrote: > On Mon, 2022-01-10 at 19:44 +0100, Jason A. Donenfeld wrote: > > On Mon, Jan 10, 2022 at 4:08 PM Marcelo Henrique Cerri > > <marcelo.cerri@xxxxxxxxxxxxx> wrote: > > > > Just to confirm, this little patch here gives you FIPS certification? > > > It does > > > > On Mon, Jan 10, 2022 at 7:29 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > > Now, the idea of certifying the whole kernel as a FIPS cryptographic module is > > > stupid > > Not that it is not the whole kernel, but a "module boundary" is drawn > around the crypto API and vicinity. > It would be really nice if this whole "boundary" could be built as a > single binary module to be loaded in the kernel in fips mode. That way > we could update the rest of the kernel w/o rebuilding the module, but > we are not there. FWIW, the "FIPS module as a loadable kernel module" approach was implemented in the Android kernel; grep for "fips140" in branch "android13-5.10" of https://android.googlesource.com/kernel/common. It's a lot of work for nothing IMO, but the FIPS certification lab being used is happy with the approach. Note that random.c is outside of the FIPS module with this approach. - Eric
