crypto: fips - make proc files report fips module name and version

FIPS 140-3 introduced a requirement for the FIPS module to return
information about itself, specifically a name and a version. These
values must match the values reported on FIPS certificates.

This patch adds two files to read a name and a version from:

/proc/sys/crypto/fips_name
/proc/sys/crypto/fips_version

v2: removed redundant parentheses in config entries.
v3: move FIPS_MODULE_* defines to fips.c where they are used.
v4: return utsrelease.h inclusion

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 7d98a2b..54bdcf2 100644 (file)
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -33,6 +33,27 @@ config CRYPTO_FIPS
          certification.  You should say no unless you know what
          this is.
 
+config CRYPTO_FIPS_NAME
+       string "FIPS Module Name"
+       default "Linux Kernel Cryptographic API"
+       depends on CRYPTO_FIPS
+       help
+         This option sets the FIPS Module name reported by the Crypto API via
+         the /proc/sys/crypto/fips_name file.
+
+config CRYPTO_FIPS_CUSTOM_VERSION
+       bool "Use Custom FIPS Module Version"
+       depends on CRYPTO_FIPS
+       default n
+
+config CRYPTO_FIPS_VERSION
+       string "FIPS Module Version"
+       default "(none)"
+       depends on CRYPTO_FIPS_CUSTOM_VERSION
+       help
+         This option provides the ability to override the FIPS Module Version.
+         By default the KERNELRELEASE value is used.
+
 config CRYPTO_ALGAPI
        tristate
        select CRYPTO_ALGAPI2

diff --git a/crypto/fips.c b/crypto/fips.c
index 7b1d8ca..b05d3c7 100644 (file)
--- a/crypto/fips.c
+++ b/crypto/fips.c
@@ -12,6 +12,7 @@
 #include <linux/kernel.h>
 #include <linux/sysctl.h>
 #include <linux/notifier.h>
+#include <generated/utsrelease.h>
 
 int fips_enabled;
 EXPORT_SYMBOL_GPL(fips_enabled);
@@ -30,13 +31,37 @@ static int fips_enable(char *str)
 
 __setup("fips=", fips_enable);
 
+#define FIPS_MODULE_NAME CONFIG_CRYPTO_FIPS_NAME
+#ifdef CONFIG_CRYPTO_FIPS_CUSTOM_VERSION
+#define FIPS_MODULE_VERSION CONFIG_CRYPTO_FIPS_VERSION
+#else
+#define FIPS_MODULE_VERSION UTS_RELEASE
+#endif
+
+static char fips_name[] = FIPS_MODULE_NAME;
+static char fips_version[] = FIPS_MODULE_VERSION;
+
 static struct ctl_table crypto_sysctl_table[] = {
        {
-               .procname       = "fips_enabled",
-               .data           = &fips_enabled,
-               .maxlen         = sizeof(int),
-               .mode           = 0444,
-               .proc_handler   = proc_dointvec
+               .procname       = "fips_enabled",
+               .data           = &fips_enabled,
+               .maxlen         = sizeof(int),
+               .mode           = 0444,
+               .proc_handler   = proc_dointvec
+       },
+       {
+               .procname       = "fips_name",
+               .data           = &fips_name,
+               .maxlen         = 64,
+               .mode           = 0444,
+               .proc_handler   = proc_dostring
+       },
+       {
+               .procname       = "fips_version",
+               .data           = &fips_version,
+               .maxlen         = 64,
+               .mode           = 0444,
+               .proc_handler   = proc_dostring
        },
        {}
 };