* [PATCH] crypto: jitter - panic on runtime health test failures in FIPS mode
@ 2023-03-08 17:02 Vladis Dronov
0 siblings, 0 replies; only message in thread
From: Vladis Dronov @ 2023-03-08 17:02 UTC (permalink / raw
To: Herbert Xu, David S . Miller, Stephan Mueller
Cc: Nicolai Stange, linux-crypto, linux-kernel, Vladis Dronov
A FIPS certification lab has noted that the kernel doesn't go to error
state upon failure of the RCT and APT health tests. Add a panic() call
in FIPS mode to jent_kcapi_random().
Revert b454fb702515 ("crypto: jitter - don't limit ->health_failure
check to FIPS mode") for this partially.
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
crypto/jitterentropy-kcapi.c | 8 ++++++++
crypto/jitterentropy.h | 1 +
2 files changed, 9 insertions(+)
diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
index 2d115bec15ae..9c692119d926 100644
--- a/crypto/jitterentropy-kcapi.c
+++ b/crypto/jitterentropy-kcapi.c
@@ -37,6 +37,7 @@
* DAMAGE.
*/
+#include <linux/fips.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/slab.h>
@@ -59,6 +60,11 @@ void jent_zfree(void *ptr)
kfree_sensitive(ptr);
}
+int jent_fips_enabled(void)
+{
+ return fips_enabled;
+}
+
void jent_panic(char *s)
{
panic("%s", s);
@@ -140,6 +146,8 @@ static int jent_kcapi_random(struct crypto_rng *tfm,
/* Return a permanent error in case we had too many resets in a row. */
if (rng->reset_cnt > (1<<10)) {
+ if (jent_fips_enabled())
+ jent_panic("jitterentropy: Too many RCT/APT health test failures\n");
ret = -EFAULT;
goto out;
}
diff --git a/crypto/jitterentropy.h b/crypto/jitterentropy.h
index b7397b617ef0..c83fff32d130 100644
--- a/crypto/jitterentropy.h
+++ b/crypto/jitterentropy.h
@@ -2,6 +2,7 @@
extern void *jent_zalloc(unsigned int len);
extern void jent_zfree(void *ptr);
+extern int jent_fips_enabled(void);
extern void jent_panic(char *s);
extern void jent_memcpy(void *dest, const void *src, unsigned int n);
extern void jent_get_nstime(__u64 *out);
--
2.39.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2023-03-08 17:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-08 17:02 [PATCH] crypto: jitter - panic on runtime health test failures in FIPS mode Vladis Dronov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.