kernel
/
dracut
mirror of https://git.kernel.org/pub/scm/boot/dracut/dracut.git/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fips: only install FIPS-compliant crypto modules 

Since the kernel doesn't allow using any non-FIPS-compliant crypto
algorithms, it doesn't make sense to install them. Even if they are
installed, tcrypt will not test them anyway.

Tested on Fedora 28 x86_64 by booting with fips=1 (with hand-patched
module-setup.sh).
master
Ondrej Mosnacek 2018-06-08 13:38:34 +02:00 committed by Harald Hoyer
parent f4d34357c0
commit cec0d04112
1 changed files with 4 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
modules.d/01fips/module-setup.sh
View File

@ -19,22 +19,15 @@ installkernel() {
_fipsmodules=""

# Hashes:
_fipsmodules+="md4 md5 sha1 sha224 sha256 sha384 sha512 michael_mic "
_fipsmodules+="crc32c crct10dif wp256 wp384 wp512 tgr128 tgr160 tgr192 "
_fipsmodules+="rmd128 rmd160 rmd256 rmd320 ghash sm3 "
_fipsmodules+="sha1 sha224 sha256 sha384 sha512 "
_fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 "
_fipsmodules+="crc32c crct10dif ghash "

# Ciphers:
_fipsmodules+="cipher_null des des3_ede blowfish twofish serpent aes "
_fipsmodules+="cast5 cast6 tea xtea khazad tnepres anubis xeta fcrypt "
_fipsmodules+="camellia seed sm4 "

# Block/stream ciphers:
_fipsmodules+="arc4 salsa20 "
_fipsmodules+="cipher_null des3_ede aes "

# Modes/templates:
_fipsmodules+="ecb cbc ctr lrw xts pcbc xcbc gcm ccm cts authenc "
_fipsmodules+="hmac vmac cmac "
_fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac "

# Compression algs:
_fipsmodules+="deflate lzo zlib "