Re: [PATCH] crypto/fips: only panic on bad/missing crypto mod signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jun 27, 2014 at 03:12:54PM -0400, Jarod Wilson wrote:
> Per further discussion with NIST, the requirements for FIPS state that
> we only need to panic the system on failed kernel module signature checks
> for crypto subsystem modules. This moves the fips-mode-only module
> signature check out of the generic module loading code, into the crypto
> subsystem, at points where we can catch both algorithm module loads and
> mode module loads. At the same time, make CONFIG_CRYPTO_FIPS dependent on
> CONFIG_MODULE_SIG, as this is entirely necessary for FIPS mode.
...
> --- a/crypto/algapi.c
> +++ b/crypto/algapi.c
...
> @@ -430,6 +436,12 @@ int crypto_register_template(struct crypto_template *tmpl)
>  
>  	down_write(&crypto_alg_sem);
>  
> +#ifdef CONFIG_CRYPTO_FIPS
> +	if (fips_enabled && tmpl->module && !tmpl->module->sig_ok)
> +		panic("Module %s signature verification failed in FIPS mode\n",
> +		      tmpl->module->name);
> +#endif
> +

Forgot to mention: the panic locations within the functions don't really
matter a whole lot right this moment, but Stephan pointed out the
possibility of a future FIPS standard that might not require a panic, thus
the crypto_register_template check being done after the down_write() so
that you could do a goto out; instead of a panic here and have things more
or less behave.

-- 
Jarod Wilson
jarod@xxxxxxxxxx

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux