KEYS: fix big_key dependency

Commit Message

Kirill Marinushkin Aug. 15, 2016, 10:45 p.m. UTC

Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
---
 security/keys/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stephan Mueller Aug. 16, 2016, 5:48 a.m. UTC | #1

Am Dienstag, 16. August 2016, 00:45:39 CEST schrieb Kirill Marinushkin:

Hi Kirill,

> +	select CRYPTO_ANSI_CPRNG

This change enables the RNG which will not pass FIPS testing any more. Hence, 
this selection could cause an issue in FIPS mode (i.e. booting the kernel with 
fips=1).

May I suggest CRYPTO_DRBG?

Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Kirill Marinushkin Aug. 16, 2016, 8:02 p.m. UTC | #2

> May I suggest CRYPTO_DRBG?

Hello Ciao,

Thanks for your proposal. I submitted the PATCH v2 where I use
CRYPTO_RNG_DEFAULT the same way it is used in crypto/Kconfig.
It solves the issue, too. In addition, it selects CRYPTO_DRBG_MENU,
which is a more universal use-case, as I understood from your comment.

Best Regards,
Kirill 

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index f826e87..8213221 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -44,7 +44,7 @@  config BIG_KEYS
 	select CRYPTO
 	select CRYPTO_AES
 	select CRYPTO_ECB
-	select CRYPTO_RNG
+	select CRYPTO_ANSI_CPRNG
 	help
 	  This option provides support for holding large keys within the kernel
 	  (for example Kerberos ticket caches).  The data may be stored out to