2 files changed, 15 insertions, 0 deletions

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 025c5108442e..1dca374bbd82 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -24,6 +24,7 @@ comment "Crypto core or helper"
 config CRYPTO_FIPS
         bool "FIPS 200 compliance"
         depends on (CRYPTO_ANSI_CPRNG || CRYTPO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
+        depends on MODULE_SIG
         help
           This options enables the fips boot option which is
           required if you want to system to operate in a FIPS 200
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 7a1ae87f1683..e8d3a7dca8c4 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -41,8 +41,20 @@ static inline int crypto_set_driver_name(struct crypto_alg *alg)
         return 0;
 }
 
+static inline void crypto_check_module_sig(struct module *mod)
+{
+#ifdef CONFIG_CRYPTO_FIPS
+        if (fips_enabled && mod && !mod->sig_ok)
+                panic("Module %s signature verification failed in FIPS mode\n",
+                      mod->name);
+#endif
+        return;
+}
+
 static int crypto_check_alg(struct crypto_alg *alg)
 {
+        crypto_check_module_sig(alg->cra_module);
+
         if (alg->cra_alignmask & (alg->cra_alignmask + 1))
                 return -EINVAL;
 
@@ -430,6 +442,8 @@ int crypto_register_template(struct crypto_template *tmpl)
 
         down_write(&crypto_alg_sem);
 
+        crypto_check_module_sig(tmpl->module);
+
         list_for_each_entry(q, &crypto_template_list, list) {
                 if (q == tmpl)
                         goto out;