diff mbox series

[v3] crypto: fips - make proc files report fips module name and version

Message ID 20220627195144.976741-1-vdronov@redhat.com (mailing list archive)
State Changes Requested
Delegated to: Herbert Xu
Headers show
Series [v3] crypto: fips - make proc files report fips module name and version | expand

Commit Message

Vladis Dronov June 27, 2022, 7:51 p.m. UTC 
FIPS 140-3 introduced a requirement for the FIPS module to return
information about itself, specifically a name and a version. These
values must match the values reported on FIPS certificates.

This patch adds two files to read a name and a version from:

/proc/sys/crypto/fips_name
/proc/sys/crypto/fips_version

v2: removed redundant parentheses in config entries.
v3: move FIPS_MODULE_* defines to fips.c where they are used.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
 crypto/Kconfig | 21 +++++++++++++++++++++
 crypto/fips.c  | 34 +++++++++++++++++++++++++++++-----
 2 files changed, 50 insertions(+), 5 deletions(-)

Comments

Herbert Xu July 8, 2022, 7:20 a.m. UTC | #1 
On Mon, Jun 27, 2022 at 09:51:44PM +0200, Vladis Dronov wrote:
>
> diff --git a/crypto/fips.c b/crypto/fips.c
> index 7b1d8caee669..d820f83cb878 100644
> --- a/crypto/fips.c
> +++ b/crypto/fips.c
> @@ -30,13 +30,37 @@ static int fips_enable(char *str)
>  
>  __setup("fips=", fips_enable);
>  
> +#define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME
> +#ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION
> +#define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION
> +#else
> +#define FIPS_MODULE_VERSION UTS_RELEASE
> +#endif
> +
> +static char fips_name[] = FIPS_MODULE_NAME;
> +static char fips_version[] = FIPS_MODULE_VERSION;

This doesn't compile for me because you need to include
generated/utsrelease.h.

Cheers,
Vladis Dronov July 8, 2022, 12:46 p.m. UTC | #2 
Hi, Herbert,

On Fri, Jul 8, 2022 at 10:27 AM Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> On Mon, Jun 27, 2022 at 09:51:44PM +0200, Vladis Dronov wrote:
> >
> > diff --git a/crypto/fips.c b/crypto/fips.c
> > index 7b1d8caee669..d820f83cb878 100644
> > --- a/crypto/fips.c
> > +++ b/crypto/fips.c
> > @@ -30,13 +30,37 @@ static int fips_enable(char *str)
> >
> >  __setup("fips=", fips_enable);
> >
> > +#define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME
> > +#ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION
> > +#define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION
> > +#else
> > +#define FIPS_MODULE_VERSION UTS_RELEASE
> > +#endif
> > +
> > +static char fips_name[] = FIPS_MODULE_NAME;
> > +static char fips_version[] = FIPS_MODULE_VERSION;
>
> This doesn't compile for me because you need to include
> generated/utsrelease.h.

Dang, it does not build now indeed. I'm not sure how my previous
build succeeded so I've assumed utsrelease.h is included in fips.c
via some other .h file.

I've posted v4 to this same thread below, it just adds the "#include
<generated/utsrelease.h>" line.

I'm sorry for the noise.

Best regards,
Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer
diff mbox series

Patch

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 1d44893a997b..3891c331f2e7 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -33,6 +33,27 @@  config CRYPTO_FIPS
 	  certification.  You should say no unless you know what
 	  this is.
 
+config CRYPTO_FIPS_NAME
+	string "FIPS Module Name"
+	default "Linux Kernel Cryptographic API"
+	depends on CRYPTO_FIPS
+	help
+	  This option sets the FIPS Module name reported by the Crypto API via
+	  the /proc/sys/crypto/fips_name file.
+
+config CRYPTO_FIPS_CUSTOM_VERSION
+	bool "Use Custom FIPS Module Version"
+	depends on CRYPTO_FIPS
+	default n
+
+config CRYPTO_FIPS_VERSION
+	string "FIPS Module Version"
+	default "(none)"
+	depends on CRYPTO_FIPS_CUSTOM_VERSION
+	help
+	  This option provides the ability to override the FIPS Module Version.
+	  By default the KERNELRELEASE value is used.
+
 config CRYPTO_ALGAPI
 	tristate
 	select CRYPTO_ALGAPI2
diff --git a/crypto/fips.c b/crypto/fips.c
index 7b1d8caee669..d820f83cb878 100644
--- a/crypto/fips.c
+++ b/crypto/fips.c
@@ -30,13 +30,37 @@  static int fips_enable(char *str)
 
 __setup("fips=", fips_enable);
 
+#define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME
+#ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION
+#define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION
+#else
+#define FIPS_MODULE_VERSION UTS_RELEASE
+#endif
+
+static char fips_name[] = FIPS_MODULE_NAME;
+static char fips_version[] = FIPS_MODULE_VERSION;
+
 static struct ctl_table crypto_sysctl_table[] = {
 	{
-		.procname       = "fips_enabled",
-		.data           = &fips_enabled,
-		.maxlen         = sizeof(int),
-		.mode           = 0444,
-		.proc_handler   = proc_dointvec
+		.procname	= "fips_enabled",
+		.data		= &fips_enabled,
+		.maxlen		= sizeof(int),
+		.mode		= 0444,
+		.proc_handler	= proc_dointvec
+	},
+	{
+		.procname	= "fips_name",
+		.data		= &fips_name,
+		.maxlen		= 64,
+		.mode		= 0444,
+		.proc_handler	= proc_dostring
+	},
+	{
+		.procname	= "fips_version",
+		.data		= &fips_version,
+		.maxlen		= 64,
+		.mode		= 0444,
+		.proc_handler	= proc_dostring
 	},
 	{}
 };