From: Herbert Xu on
gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_43803...
On Tue, Oct 20, 2020 at 02:50:15PM +0200, Ondrej Mosnacek wrote:
Looking at the current state of SM* configs in ARK, there seems to be
some disconnect:
ark/generic/CONFIG_CRYPTO_SM3:# CONFIG_CRYPTO_SM3 is not set
ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE:CONFIG_CRYPTO_SM3_ARM64_CE=m
ark/generic/CONFIG_CRYPTO_SM4:# CONFIG_CRYPTO_SM4 is not set
ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE:CONFIG_CRYPTO_SM4_ARM64_CE=m
ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE:#
CONFIG_CRYPTO_SM3_ARM64_CE is not set
ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4:CONFIG_CRYPTO_SM4=m
Why is CONFIG_CRYPTO_SM4 enabled only on aarch64? Why is
CONFIG_CRYPTO_SM3_ARM64_CE enabled, but CONFIG_CRYPTO_SM3 is not?
These should be consolidated.
Herbert, what is your opinion? I guess we would like to have the
Chinese algorithms enabled on ARK/RHEL? It seems very likely that some
Chinese customers would want them.
I agree, setting these options all to m would make sense.
I'd be inclined to recommend disabling this (and the 4
corresponding
configs - see [1]) in both Fedora and ARK. These somewhat obscure
algorithms have no in-kernel users and it is very unlikely that they
would be used from userspace (via dm-crypt/AF_ALG). Opinions?
[1]
https://lore.kernel.org/linux- crypto/20200911141103.14832-1-ardb(a)kernel.org/
Yes we should do that.
> CONFIG_CRYPTO_USER_API_RNG_CAVP:
>
> This option enables extra API for CAVP testing via the user-space
> interface: resetting of DRBG entropy, and providing Additional
Data.
> This should only be enabled for CAVP testing. You should say
> no unless you know what this is.
>
> Symbol: CRYPTO_USER_API_RNG_CAVP [=n]
> Type : bool
> Defined at crypto/Kconfig:1895
> Prompt: Enable CAVP testing of DRBG
> Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] &&
CRYPTO_DRBG [=y]
> Location:
> -> Cryptographic API (CRYPTO [=y])
> -> User-space interface for random number generator
algorithms
(CRYPTO_USER_API_RNG [=y])
I don't know if this would be useful for some certification on RHEL,
but probably can be left disabled.
Yes indeed.
Thanks,