diff options
| -rw-r--r-- | crypto/Kconfig | 1 | ||||
| -rw-r--r-- | crypto/algapi.c | 14 | ||||
| -rw-r--r-- | kernel/module.c | 4 |
3 files changed, 15 insertions, 4 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig index 025c5108442e..1dca374bbd82 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig | |||
| @@ -24,6 +24,7 @@ comment "Crypto core or helper" | |||
| 24 | config CRYPTO_FIPS | 24 | config CRYPTO_FIPS |
| 25 | bool "FIPS 200 compliance" | 25 | bool "FIPS 200 compliance" |
| 26 | depends on (CRYPTO_ANSI_CPRNG || CRYTPO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS | 26 | depends on (CRYPTO_ANSI_CPRNG || CRYTPO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS |
| 27 | depends on MODULE_SIG | ||
| 27 | help | 28 | help |
| 28 | This options enables the fips boot option which is | 29 | This options enables the fips boot option which is |
| 29 | required if you want to system to operate in a FIPS 200 | 30 | required if you want to system to operate in a FIPS 200 |
diff --git a/crypto/algapi.c b/crypto/algapi.c index 7a1ae87f1683..e8d3a7dca8c4 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c | |||
| @@ -41,8 +41,20 @@ static inline int crypto_set_driver_name(struct crypto_alg *alg) | |||
| 41 | return 0; | 41 | return 0; |
| 42 | } | 42 | } |
| 43 | 43 | ||
| 44 | static inline void crypto_check_module_sig(struct module *mod) | ||
| 45 | { | ||
| 46 | #ifdef CONFIG_CRYPTO_FIPS | ||
| 47 | if (fips_enabled && mod && !mod->sig_ok) | ||
| 48 | panic("Module %s signature verification failed in FIPS mode\n", | ||
| 49 | mod->name); | ||
| 50 | #endif | ||
| 51 | return; | ||
| 52 | } | ||
| 53 | |||
| 44 | static int crypto_check_alg(struct crypto_alg *alg) | 54 | static int crypto_check_alg(struct crypto_alg *alg) |
| 45 | { | 55 | { |
| 56 | crypto_check_module_sig(alg->cra_module); | ||
| 57 | |||
| 46 | if (alg->cra_alignmask & (alg->cra_alignmask + 1)) | 58 | if (alg->cra_alignmask & (alg->cra_alignmask + 1)) |
| 47 | return -EINVAL; | 59 | return -EINVAL; |
| 48 | 60 | ||
| @@ -430,6 +442,8 @@ int crypto_register_template(struct crypto_template *tmpl) | |||
| 430 | 442 | ||
| 431 | down_write(&crypto_alg_sem); | 443 | down_write(&crypto_alg_sem); |
| 432 | 444 | ||
| 445 | crypto_check_module_sig(tmpl->module); | ||
| 446 | |||
| 433 | list_for_each_entry(q, &crypto_template_list, list) { | 447 | list_for_each_entry(q, &crypto_template_list, list) { |
| 434 | if (q == tmpl) | 448 | if (q == tmpl) |
| 435 | goto out; | 449 | goto out; |
diff --git a/kernel/module.c b/kernel/module.c index 81e727cf6df9..ae79ce615cb9 100644 --- a/kernel/module.c +++ b/kernel/module.c | |||
| @@ -60,7 +60,6 @@ | |||
| 60 | #include <linux/jump_label.h> | 60 | #include <linux/jump_label.h> |
| 61 | #include <linux/pfn.h> | 61 | #include <linux/pfn.h> |
| 62 | #include <linux/bsearch.h> | 62 | #include <linux/bsearch.h> |
| 63 | #include <linux/fips.h> | ||
| 64 | #include <uapi/linux/module.h> | 63 | #include <uapi/linux/module.h> |
| 65 | #include "module-internal.h" | 64 | #include "module-internal.h" |
| 66 | 65 | ||
| @@ -2448,9 +2447,6 @@ static int module_sig_check(struct load_info *info) | |||
| 2448 | } | 2447 | } |
| 2449 | 2448 | ||
| 2450 | /* Not having a signature is only an error if we're strict. */ | 2449 | /* Not having a signature is only an error if we're strict. */ |
| 2451 | if (err < 0 && fips_enabled) | ||
| 2452 | panic("Module verification failed with error %d in FIPS mode\n", | ||
| 2453 | err); | ||
| 2454 | if (err == -ENOKEY && !sig_enforce) | 2450 | if (err == -ENOKEY && !sig_enforce) |
| 2455 | err = 0; | 2451 | err = 0; |
| 2456 | 2452 | ||