From: Herbert Xu on gitlab.com Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1304 NOTE: Truncated patchset since committer email 'herbert@gondor.apana.org.au' does not match the submitter's GitLab public email address 'herbert.xu@redhat.com'. Upstream: RHEL only Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1984784
The RHEL FIPS certification effort ran into an show-stopper with /dev/urandom and getrandom(2) not being FIPS-compliant. At this point there is no realistic chance of making them FIPS-compliant upstream. It has also been deemed unrealistic to change user-space to use the FIPS-compliant RNG through the Crypto API.
Therefore this patch series overrides /dev/*random as well as getrandom(2) with the Crypto API RNG so that FIPS certification can proceed.
Signed-off-by: Herbert Xu herbert.xu@redhat.com
--- crypto/rng.c | 73 ++++++++++++++++++++++++++++++- drivers/char/random.c | 115 +++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/random.h | 7 ++ 3 files changed, 194 insertions(+), 1 deletions(-)
From: Ondrej Mosnáček on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1304#note_6484998...
OK, works for me.
From: Ondrej Mosnáček on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1304#note_6485000...
Acked-by: Ondrej Mosnáček omosnace@redhat.com (via approve button)
From: Sanjib Das on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1304#note_2322466...
Hi All, I would like to request some additional information. Is this patch applicable to only RHEL or are other flavors also require this patch to secure FIPS certification successfully?
Regardless of this above query, I just tried to patch this on vanilla 5.10 kernel (kernel.org), but I found context mismatch. Lines surrounding the new changes donot match with the current state of the file (example, drivers/char/random.c). New/different APIs are used in file_operations structure function pointer initialization (just an example). Is there any patch available for kernel 5.10?
Thanking you in advance. Sanjib
From: Sanjib Das on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1304#note_2322466...
Hi All, I would like to request some additional information. Is this patch applicable to only RHEL or are other flavors also require this to secure FIPS certification successfully?
Regardless of above query, I just tried to patch this on vanilla 5.10 kernel (kernel.org), but I found context mismatch. Lines surrounding the new changes donot match with the current state of the file (example, drivers/char/random.c). New/different APIs are used in file_operations structure function pointer initialization (just an example). Is there any patch available for kernel 5.10?
Thanking you in advance. Sanjib
From: Sanjib Das on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1304#note_2322466...
Hi All, I would like to request some additional information. Is this patch applicable to only RHEL or are other flavors also require this to secure FIPS certification successfully?
Regardless of above query, I just tried to patch this on vanilla 5.10 kernel (kernel.org), but I found context mismatch. Lines surrounding the new changes donot match with the current state of the file (example, drivers/char/random.c). New/different APIs are used in file_operations structure function pointer initialization (just an example). Is there any patch available for kernel 5.10? If the answer is NO, is it safe to patch manually in 5.10 kernel (assuming the issue is common across all linux flavors)?
Thanking you in advance. Sanjib
kernel@lists.fedoraproject.org
-
Herbert Xu (via Email Bridge) -
Ondrej Mosnáček (via Email Bridge)
-
Sanjib Das (via Email Bridge)