diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2022-06-21 12:13:53 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2022-06-21 12:13:53 -0500 |
commit | 86e37249b5ca705585e43e7259fd6f123b5ee600 (patch) | |
tree | 175f3a61b93fd0ea61a1f43c22733faf9dff0b52 /crypto/asymmetric_keys/Kconfig | |
parent | c63768861c255773e21b4de4e277b5badaac300b (diff) | |
parent | 041ec6e33d4823d79d56bf5f003ec0f42a7bff92 (diff) | |
download | linux-crypto-86e37249b5ca705585e43e7259fd6f123b5ee600.tar.gz linux-crypto-86e37249b5ca705585e43e7259fd6f123b5ee600.zip |
Merge tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
Pull signature checking selftest from David Howells:
"The signature checking code, as used by module signing, kexec, etc.,
is non-FIPS compliant as there is no selftest.
For a kernel to be FIPS-compliant, signature checking would have to be
tested before being used, and the box would need to panic if it's not
available (probably reasonable as simply disabling signature checking
would prevent you from loading any driver modules).
Deal with this by adding a minimal test.
This is split into two patches: the first moves load_certificate_list()
to the same place as the X.509 code to make it more accessible
internally; the second adds a selftest"
* tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
certs: Add FIPS selftests
certs: Move load_certificate_list() to be with the asymmetric keys code
Diffstat (limited to 'crypto/asymmetric_keys/Kconfig')
-rw-r--r-- | crypto/asymmetric_keys/Kconfig | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index 460bc5d0..3df3fe4e 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -75,4 +75,14 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. +config FIPS_SIGNATURE_SELFTEST + bool "Run FIPS selftests on the X.509+PKCS7 signature verification" + help + This option causes some selftests to be run on the signature + verification code, using some built in data. This is required + for FIPS. + depends on KEYS + depends on ASYMMETRIC_KEY_TYPE + depends on PKCS7_MESSAGE_PARSER + endif # ASYMMETRIC_KEY_TYPE |