From: Fedora Kernel Team kernel-team@fedoraproject.org
Hi,
As part of the ongoing rebase effort, the following configuration options need to be reviewed.
As a reminder, the ARK configuration flow involves moving unreviewed configuration options from the pending directory to the ark directory. In the diff below, options are removed from the pending directory and added to the ark hierarchy. The final options that need to be ACKed are the files that are being added to the ark hierarchy.
If the value for a file that is added should be changed, please reply with a better option.
CONFIG_CRYPTO_SM2:
Generic implementation of the SM2 public key algorithm. It was published by State Encryption Management Bureau, China. as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
References: https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml http://www.gmbz.org.cn/main/bzlb.html
Symbol: CRYPTO_SM2 [=n] Type : tristate Defined at crypto/Kconfig:263 Prompt: SM2 algorithm Depends on: CRYPTO [=y] Location: -> Cryptographic API (CRYPTO [=y]) Selects: CRYPTO_SM3 [=n] && CRYPTO_AKCIPHER [=y] && CRYPTO_MANAGER [=y] && MPILIB [=y] && ASN1 [=y]
---
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE:
Allow obsolete cryptographic algorithms to be selected that have already been phased out from internal use by the kernel, and are only useful for userspace clients that still rely on them.
Symbol: CRYPTO_USER_API_ENABLE_OBSOLETE [=y] Type : bool Defined at crypto/Kconfig:1915 Prompt: Enable obsolete cryptographic algorithms for userspace Depends on: CRYPTO [=y] && CRYPTO_USER_API [=y] Location: -> Cryptographic API (CRYPTO [=y])
---
CONFIG_CRYPTO_USER_API_RNG_CAVP:
This option enables extra API for CAVP testing via the user-space interface: resetting of DRBG entropy, and providing Additional Data. This should only be enabled for CAVP testing. You should say no unless you know what this is.
Symbol: CRYPTO_USER_API_RNG_CAVP [=n] Type : bool Defined at crypto/Kconfig:1895 Prompt: Enable CAVP testing of DRBG Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] && CRYPTO_DRBG [=y] Location: -> Cryptographic API (CRYPTO [=y]) -> User-space interface for random number generator algorithms (CRYPTO_USER_API_RNG [=y])
---
Cc: Herbert Xu herbert.xu@redhat.com Cc: "David S. Miller" davem@redhat.com Cc: Ondrej Mosnacek omosnace@redhat.com Signed-off-by: Fedora Kernel Team kernel-team@fedoraproject.org --- .../configs/common/generic/CONFIG_CRYPTO_SM2 | 1 + .../CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE | 1 + .../generic/CONFIG_CRYPTO_USER_API_RNG_CAVP | 1 + .../pending-common/generic/CONFIG_CRYPTO_SM2 | 23 ------------------- .../CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE | 17 -------------- .../generic/CONFIG_CRYPTO_USER_API_RNG_CAVP | 19 --------------- 6 files changed, 3 insertions(+), 59 deletions(-) create mode 100644 redhat/configs/common/generic/CONFIG_CRYPTO_SM2 create mode 100644 redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE create mode 100644 redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP delete mode 100644 redhat/configs/pending-common/generic/CONFIG_CRYPTO_SM2 delete mode 100644 redhat/configs/pending-common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE delete mode 100644 redhat/configs/pending-common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP
diff --git a/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 b/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 new file mode 100644 index 000000000000..0d8c1b551abf --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 @@ -0,0 +1 @@ +# CONFIG_CRYPTO_SM2 is not set diff --git a/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE new file mode 100644 index 000000000000..21d316c28741 --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE @@ -0,0 +1 @@ +CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y diff --git a/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP new file mode 100644 index 000000000000..7826178972a9 --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP @@ -0,0 +1 @@ +# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set diff --git a/redhat/configs/pending-common/generic/CONFIG_CRYPTO_SM2 b/redhat/configs/pending-common/generic/CONFIG_CRYPTO_SM2 deleted file mode 100644 index b577bb249279..000000000000 --- a/redhat/configs/pending-common/generic/CONFIG_CRYPTO_SM2 +++ /dev/null @@ -1,23 +0,0 @@ -# CONFIG_CRYPTO_SM2: -# -# Generic implementation of the SM2 public key algorithm. It was -# published by State Encryption Management Bureau, China. -# as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012. -# -# References: -# https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 -# http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml -# http://www.gmbz.org.cn/main/bzlb.html -# -# Symbol: CRYPTO_SM2 [=n] -# Type : tristate -# Defined at crypto/Kconfig:263 -# Prompt: SM2 algorithm -# Depends on: CRYPTO [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# Selects: CRYPTO_SM3 [=n] && CRYPTO_AKCIPHER [=y] && CRYPTO_MANAGER [=y] && MPILIB [=y] && ASN1 [=y] -# -# -# -# CONFIG_CRYPTO_SM2 is not set diff --git a/redhat/configs/pending-common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/pending-common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE deleted file mode 100644 index b8bda73dbf55..000000000000 --- a/redhat/configs/pending-common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE +++ /dev/null @@ -1,17 +0,0 @@ -# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE: -# -# Allow obsolete cryptographic algorithms to be selected that have -# already been phased out from internal use by the kernel, and are -# only useful for userspace clients that still rely on them. -# -# Symbol: CRYPTO_USER_API_ENABLE_OBSOLETE [=y] -# Type : bool -# Defined at crypto/Kconfig:1915 -# Prompt: Enable obsolete cryptographic algorithms for userspace -# Depends on: CRYPTO [=y] && CRYPTO_USER_API [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# -# -# -CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y diff --git a/redhat/configs/pending-common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP b/redhat/configs/pending-common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP deleted file mode 100644 index 7e0c667a45ce..000000000000 --- a/redhat/configs/pending-common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP +++ /dev/null @@ -1,19 +0,0 @@ -# CONFIG_CRYPTO_USER_API_RNG_CAVP: -# -# This option enables extra API for CAVP testing via the user-space -# interface: resetting of DRBG entropy, and providing Additional Data. -# This should only be enabled for CAVP testing. You should say -# no unless you know what this is. -# -# Symbol: CRYPTO_USER_API_RNG_CAVP [=n] -# Type : bool -# Defined at crypto/Kconfig:1895 -# Prompt: Enable CAVP testing of DRBG -# Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] && CRYPTO_DRBG [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# -> User-space interface for random number generator algorithms (CRYPTO_USER_API_RNG [=y]) -# -# -# -# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set
On Tue, Oct 13, 2020 at 9:40 PM GitLab Bridge on behalf of jeremycline cki-gitlab@redhat.com wrote:
From: Fedora Kernel Team kernel-team@fedoraproject.org
Hi,
As part of the ongoing rebase effort, the following configuration options need to be reviewed.
As a reminder, the ARK configuration flow involves moving unreviewed configuration options from the pending directory to the ark directory. In the diff below, options are removed from the pending directory and added to the ark hierarchy. The final options that need to be ACKed are the files that are being added to the ark hierarchy.
If the value for a file that is added should be changed, please reply with a better option.
CONFIG_CRYPTO_SM2:
Generic implementation of the SM2 public key algorithm. It was published by State Encryption Management Bureau, China. as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
References: https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml http://www.gmbz.org.cn/main/bzlb.html
Symbol: CRYPTO_SM2 [=n] Type : tristate Defined at crypto/Kconfig:263 Prompt: SM2 algorithm Depends on: CRYPTO [=y] Location: -> Cryptographic API (CRYPTO [=y]) Selects: CRYPTO_SM3 [=n] && CRYPTO_AKCIPHER [=y] && CRYPTO_MANAGER [=y] && MPILIB [=y] && ASN1 [=y]
Looking at the current state of SM* configs in ARK, there seems to be some disconnect:
ark/generic/CONFIG_CRYPTO_SM3:# CONFIG_CRYPTO_SM3 is not set ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE:CONFIG_CRYPTO_SM3_ARM64_CE=m ark/generic/CONFIG_CRYPTO_SM4:# CONFIG_CRYPTO_SM4 is not set ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE:CONFIG_CRYPTO_SM4_ARM64_CE=m ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE:# CONFIG_CRYPTO_SM3_ARM64_CE is not set ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4:CONFIG_CRYPTO_SM4=m
Why is CONFIG_CRYPTO_SM4 enabled only on aarch64? Why is CONFIG_CRYPTO_SM3_ARM64_CE enabled, but CONFIG_CRYPTO_SM3 is not? These should be consolidated.
Herbert, what is your opinion? I guess we would like to have the Chinese algorithms enabled on ARK/RHEL? It seems very likely that some Chinese customers would want them.
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE:
Allow obsolete cryptographic algorithms to be selected that have already been phased out from internal use by the kernel, and are only useful for userspace clients that still rely on them.
Symbol: CRYPTO_USER_API_ENABLE_OBSOLETE [=y] Type : bool Defined at crypto/Kconfig:1915 Prompt: Enable obsolete cryptographic algorithms for userspace Depends on: CRYPTO [=y] && CRYPTO_USER_API [=y] Location: -> Cryptographic API (CRYPTO [=y])
I'd be inclined to recommend disabling this (and the 4 corresponding configs - see [1]) in both Fedora and ARK. These somewhat obscure algorithms have no in-kernel users and it is very unlikely that they would be used from userspace (via dm-crypt/AF_ALG). Opinions?
[1] https://lore.kernel.org/linux-crypto/20200911141103.14832-1-ardb@kernel.org/
CONFIG_CRYPTO_USER_API_RNG_CAVP:
This option enables extra API for CAVP testing via the user-space interface: resetting of DRBG entropy, and providing Additional Data. This should only be enabled for CAVP testing. You should say no unless you know what this is.
Symbol: CRYPTO_USER_API_RNG_CAVP [=n] Type : bool Defined at crypto/Kconfig:1895 Prompt: Enable CAVP testing of DRBG Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] && CRYPTO_DRBG [=y] Location: -> Cryptographic API (CRYPTO [=y]) -> User-space interface for random number generator algorithms (CRYPTO_USER_API_RNG [=y])
I don't know if this would be useful for some certification on RHEL, but probably can be left disabled.
(My 2 cents...)
On Tue, 2020-10-20 at 14:50 +0200, Ondrej Mosnacek wrote:
On Tue, Oct 13, 2020 at 9:40 PM GitLab Bridge on behalf of jeremycline cki-gitlab@redhat.com wrote:
From: Fedora Kernel Team kernel-team@fedoraproject.org
Hi,
As part of the ongoing rebase effort, the following configuration options need to be reviewed.
As a reminder, the ARK configuration flow involves moving unreviewed configuration options from the pending directory to the ark directory. In the diff below, options are removed from the pending directory and added to the ark hierarchy. The final options that need to be ACKed are the files that are being added to the ark hierarchy.
If the value for a file that is added should be changed, please reply with a better option.
CONFIG_CRYPTO_SM2:
Generic implementation of the SM2 public key algorithm. It was published by State Encryption Management Bureau, China. as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
References: https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml http://www.gmbz.org.cn/main/bzlb.html
Symbol: CRYPTO_SM2 [=n] Type : tristate Defined at crypto/Kconfig:263 Prompt: SM2 algorithm Depends on: CRYPTO [=y] Location: -> Cryptographic API (CRYPTO [=y]) Selects: CRYPTO_SM3 [=n] && CRYPTO_AKCIPHER [=y] && CRYPTO_MANAGER [=y] && MPILIB [=y] && ASN1 [=y]
Looking at the current state of SM* configs in ARK, there seems to be some disconnect:
ark/generic/CONFIG_CRYPTO_SM3:# CONFIG_CRYPTO_SM3 is not set ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE:CONFIG_CRYPTO_SM3_ARM64_CE=m ark/generic/CONFIG_CRYPTO_SM4:# CONFIG_CRYPTO_SM4 is not set ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE:CONFIG_CRYPTO_SM4_ARM64_CE=m ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE:# CONFIG_CRYPTO_SM3_ARM64_CE is not set ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4:CONFIG_CRYPTO_SM4=m
Why is CONFIG_CRYPTO_SM4 enabled only on aarch64? Why is CONFIG_CRYPTO_SM3_ARM64_CE enabled, but CONFIG_CRYPTO_SM3 is not? These should be consolidated.
And shouldn't the *_ARM64_* configs be under generic/arm/aarch64 rather than generic? I don't see a need for CONFIG_CRYPTO_SM4 because all the platforms we care about will have the crypto enhancement (ARM64_CE) insns.
From: Herbert Xu on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_43803915...
On Tue, Oct 20, 2020 at 02:50:15PM +0200, Ondrej Mosnacek wrote:
Looking at the current state of SM* configs in ARK, there seems to be some disconnect:
ark/generic/CONFIG_CRYPTO_SM3:# CONFIG_CRYPTO_SM3 is not set ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE:CONFIG_CRYPTO_SM3_ARM64_CE=m ark/generic/CONFIG_CRYPTO_SM4:# CONFIG_CRYPTO_SM4 is not set ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE:CONFIG_CRYPTO_SM4_ARM64_CE=m ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE:# CONFIG_CRYPTO_SM3_ARM64_CE is not set ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4:CONFIG_CRYPTO_SM4=m
Why is CONFIG_CRYPTO_SM4 enabled only on aarch64? Why is CONFIG_CRYPTO_SM3_ARM64_CE enabled, but CONFIG_CRYPTO_SM3 is not? These should be consolidated.
Herbert, what is your opinion? I guess we would like to have the Chinese algorithms enabled on ARK/RHEL? It seems very likely that some Chinese customers would want them.
I agree, setting these options all to m would make sense.
I'd be inclined to recommend disabling this (and the 4 corresponding configs - see [1]) in both Fedora and ARK. These somewhat obscure algorithms have no in-kernel users and it is very unlikely that they would be used from userspace (via dm-crypt/AF_ALG). Opinions?
crypto/20200911141103.14832-1-ardb@kernel.org/
Yes we should do that.
CONFIG_CRYPTO_USER_API_RNG_CAVP:
This option enables extra API for CAVP testing via the user-space interface: resetting of DRBG entropy, and providing Additional
Data.
This should only be enabled for CAVP testing. You should say no unless you know what this is.
Symbol: CRYPTO_USER_API_RNG_CAVP [=n] Type : bool Defined at crypto/Kconfig:1895 Prompt: Enable CAVP testing of DRBG Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] &&
CRYPTO_DRBG [=y]
Location: -> Cryptographic API (CRYPTO [=y]) -> User-space interface for random number generator
algorithms (CRYPTO_USER_API_RNG [=y])
I don't know if this would be useful for some certification on RHEL, but probably can be left disabled.
Yes indeed.
Thanks,
From: Fedora Kernel Team kernel-team@fedoraproject.org
[redhat] New configs in crypto/Kconfig
Hi,
As part of the ongoing rebase effort, the following configuration options need to be reviewed.
As a reminder, the ARK configuration flow involves moving unreviewed configuration options from the pending directory to the ark directory. In the diff below, options are removed from the pending directory and added to the ark hierarchy. The final options that need to be ACKed are the files that are being added to the ark hierarchy.
If the value for a file that is added should be changed, please reply with a better option.
CONFIG_CRYPTO_SM2:
Generic implementation of the SM2 public key algorithm. It was published by State Encryption Management Bureau, China. as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
References: https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml http://www.gmbz.org.cn/main/bzlb.html
Symbol: CRYPTO_SM2 [=n] Type : tristate Defined at crypto/Kconfig:263 Prompt: SM2 algorithm Depends on: CRYPTO [=y] Location: -> Cryptographic API (CRYPTO [=y]) Selects: CRYPTO_SM3 [=n] && CRYPTO_AKCIPHER [=y] && CRYPTO_MANAGER [=y] && MPILIB [=y] && ASN1 [=y]
---
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE:
Allow obsolete cryptographic algorithms to be selected that have already been phased out from internal use by the kernel, and are only useful for userspace clients that still rely on them.
Symbol: CRYPTO_USER_API_ENABLE_OBSOLETE [=y] Type : bool Defined at crypto/Kconfig:1915 Prompt: Enable obsolete cryptographic algorithms for userspace Depends on: CRYPTO [=y] && CRYPTO_USER_API [=y] Location: -> Cryptographic API (CRYPTO [=y])
---
CONFIG_CRYPTO_USER_API_RNG_CAVP:
This option enables extra API for CAVP testing via the user-space interface: resetting of DRBG entropy, and providing Additional Data. This should only be enabled for CAVP testing. You should say no unless you know what this is.
Symbol: CRYPTO_USER_API_RNG_CAVP [=n] Type : bool Defined at crypto/Kconfig:1895 Prompt: Enable CAVP testing of DRBG Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] && CRYPTO_DRBG [=y] Location: -> Cryptographic API (CRYPTO [=y]) -> User-space interface for random number generator algorithms (CRYPTO_USER_API_RNG [=y])
---
Cc: Herbert Xu herbert.xu@redhat.com Cc: "David S. Miller" davem@redhat.com Cc: Ondrej Mosnacek omosnace@redhat.com Signed-off-by: Fedora Kernel Team kernel-team@fedoraproject.org
diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3 b/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3 --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3 +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_CRYPTO_SM3 is not set diff a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE b/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE --- a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_CRYPTO_SM3_ARM64_CE is not set diff a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4 b/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4 --- a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CRYPTO_SM4=m diff a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE --- /dev/null +++ b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE @@ -0,0 +1 @@ +CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y diff a/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS b/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS --- a/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS @@ -1 +1 @@ -CONFIG_CRYPTO_ANUBIS=m +# CONFIG_CRYPTO_ANUBIS is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 b/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 --- a/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 @@ -1 +1 @@ -CONFIG_CRYPTO_ARC4=m +# CONFIG_CRYPTO_ARC4 is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD b/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD --- a/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD @@ -1 +1 @@ -CONFIG_CRYPTO_KHAZAD=m +# CONFIG_CRYPTO_KHAZAD is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_SEED b/redhat/configs/common/generic/CONFIG_CRYPTO_SEED --- a/redhat/configs/common/generic/CONFIG_CRYPTO_SEED +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SEED @@ -1 +1 @@ -CONFIG_CRYPTO_SEED=m +# CONFIG_CRYPTO_SEED is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 b/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 @@ -0,0 +1 @@ +CONFIG_CRYPTO_SM2=m diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM3 b/redhat/configs/common/generic/CONFIG_CRYPTO_SM3 --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM3 +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SM3 diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4 b/redhat/configs/common/generic/CONFIG_CRYPTO_SM4 --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4 +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SM4 diff a/redhat/configs/common/generic/CONFIG_CRYPTO_TEA b/redhat/configs/common/generic/CONFIG_CRYPTO_TEA --- a/redhat/configs/common/generic/CONFIG_CRYPTO_TEA +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_TEA @@ -1 +1 @@ -CONFIG_CRYPTO_TEA=m +# CONFIG_CRYPTO_TEA is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE @@ -0,0 +1 @@ +# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP @@ -0,0 +1 @@ +# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE +++ b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM4_ARM64_CE --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE +++ b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM4_ARM64_CE diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM2 b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM2 --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM2 +++ /dev/null @@ -1,23 +0,0 @@ -# CONFIG_CRYPTO_SM2: -# -# Generic implementation of the SM2 public key algorithm. It was -# published by State Encryption Management Bureau, China. -# as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012. -# -# References: -# https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 -# http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml -# http://www.gmbz.org.cn/main/bzlb.html -# -# Symbol: CRYPTO_SM2 [=n] -# Type : tristate -# Defined at crypto/Kconfig:263 -# Prompt: SM2 algorithm -# Depends on: CRYPTO [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# Selects: CRYPTO_SM3 [=m] && CRYPTO_AKCIPHER [=y] && CRYPTO_MANAGER [=y] && MPILIB [=y] && ASN1 [=y] -# -# -# -CONFIG_CRYPTO_SM2=m diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE +++ /dev/null @@ -1,17 +0,0 @@ -# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE: -# -# Allow obsolete cryptographic algorithms to be selected that have -# already been phased out from internal use by the kernel, and are -# only useful for userspace clients that still rely on them. -# -# Symbol: CRYPTO_USER_API_ENABLE_OBSOLETE [=y] -# Type : bool -# Defined at crypto/Kconfig:1915 -# Prompt: Enable obsolete cryptographic algorithms for userspace -# Depends on: CRYPTO [=y] && CRYPTO_USER_API [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# -# -# -# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP b/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP +++ /dev/null @@ -1,19 +0,0 @@ -# CONFIG_CRYPTO_USER_API_RNG_CAVP: -# -# This option enables extra API for CAVP testing via the user-space -# interface: resetting of DRBG entropy, and providing Additional Data. -# This should only be enabled for CAVP testing. You should say -# no unless you know what this is. -# -# Symbol: CRYPTO_USER_API_RNG_CAVP [=n] -# Type : bool -# Defined at crypto/Kconfig:1895 -# Prompt: Enable CAVP testing of DRBG -# Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] && CRYPTO_DRBG [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# -> User-space interface for random number generator algorithms (CRYPTO_USER_API_RNG [=y]) -# -# -# -# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set diff a/redhat/configs/fedora/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE b/redhat/configs/fedora/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE --- a/redhat/configs/fedora/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CRYPTO_SM3_ARM64_CE=m
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698
From: CKI Bot on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_49165809...
Hi! This is the friendly CKI test bot.
It appears that you are not a member of redhat/red-hat-ci- tools/kernel/cki-runs/trusted-pipelines. This means that the CI pipeline on your MR will fail. As getting testing is important, I'll be responsible for testing your changes. After every MR change, I'll start a small testing pipeline and link it here so you can follow the results. I'll also create and link a pipeline for hardware testing that the reviewers can start to get extra test coverage.
From: CKI Bot on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_49165814...
Testing pipeline status: Basic testing pipeline:
https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki- runs/external-pipelines/-/pipelines/245458916 - created :hourglass_flowing_sand:
From: Fedora Kernel Team kernel-team@fedoraproject.org
[redhat] New configs in crypto/Kconfig
Hi,
As part of the ongoing rebase effort, the following configuration options need to be reviewed.
As a reminder, the ARK configuration flow involves moving unreviewed configuration options from the pending directory to the ark directory. In the diff below, options are removed from the pending directory and added to the ark hierarchy. The final options that need to be ACKed are the files that are being added to the ark hierarchy.
If the value for a file that is added should be changed, please reply with a better option.
CONFIG_CRYPTO_SM2:
Generic implementation of the SM2 public key algorithm. It was published by State Encryption Management Bureau, China. as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
References: https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml http://www.gmbz.org.cn/main/bzlb.html
Symbol: CRYPTO_SM2 [=n] Type : tristate Defined at crypto/Kconfig:263 Prompt: SM2 algorithm Depends on: CRYPTO [=y] Location: -> Cryptographic API (CRYPTO [=y]) Selects: CRYPTO_SM3 [=n] && CRYPTO_AKCIPHER [=y] && CRYPTO_MANAGER [=y] && MPILIB [=y] && ASN1 [=y]
---
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE:
Allow obsolete cryptographic algorithms to be selected that have already been phased out from internal use by the kernel, and are only useful for userspace clients that still rely on them.
Symbol: CRYPTO_USER_API_ENABLE_OBSOLETE [=y] Type : bool Defined at crypto/Kconfig:1915 Prompt: Enable obsolete cryptographic algorithms for userspace Depends on: CRYPTO [=y] && CRYPTO_USER_API [=y] Location: -> Cryptographic API (CRYPTO [=y])
---
CONFIG_CRYPTO_USER_API_RNG_CAVP:
This option enables extra API for CAVP testing via the user-space interface: resetting of DRBG entropy, and providing Additional Data. This should only be enabled for CAVP testing. You should say no unless you know what this is.
Symbol: CRYPTO_USER_API_RNG_CAVP [=n] Type : bool Defined at crypto/Kconfig:1895 Prompt: Enable CAVP testing of DRBG Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] && CRYPTO_DRBG [=y] Location: -> Cryptographic API (CRYPTO [=y]) -> User-space interface for random number generator algorithms (CRYPTO_USER_API_RNG [=y])
---
Cc: Herbert Xu herbert.xu@redhat.com Cc: "David S. Miller" davem@redhat.com Cc: Ondrej Mosnacek omosnace@redhat.com Signed-off-by: Fedora Kernel Team kernel-team@fedoraproject.org
diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3 b/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3 --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3 +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_CRYPTO_SM3 is not set diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE b/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CRYPTO_SM4_ARM64_CE=m diff a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE b/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE --- a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_CRYPTO_SM3_ARM64_CE is not set diff a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4 b/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4 --- a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CRYPTO_SM4=m diff a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE --- /dev/null +++ b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE @@ -0,0 +1 @@ +CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y diff a/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS b/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS --- a/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS @@ -1 +1 @@ -CONFIG_CRYPTO_ANUBIS=m +# CONFIG_CRYPTO_ANUBIS is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 b/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 --- a/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 @@ -1 +1 @@ -CONFIG_CRYPTO_ARC4=m +# CONFIG_CRYPTO_ARC4 is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD b/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD --- a/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD @@ -1 +1 @@ -CONFIG_CRYPTO_KHAZAD=m +# CONFIG_CRYPTO_KHAZAD is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_SEED b/redhat/configs/common/generic/CONFIG_CRYPTO_SEED --- a/redhat/configs/common/generic/CONFIG_CRYPTO_SEED +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SEED @@ -1 +1 @@ -CONFIG_CRYPTO_SEED=m +# CONFIG_CRYPTO_SEED is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 b/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 @@ -0,0 +1 @@ +CONFIG_CRYPTO_SM2=m diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM3 b/redhat/configs/common/generic/CONFIG_CRYPTO_SM3 --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM3 +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SM3 diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4 b/redhat/configs/common/generic/CONFIG_CRYPTO_SM4 --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4 +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SM4 diff a/redhat/configs/common/generic/CONFIG_CRYPTO_TEA b/redhat/configs/common/generic/CONFIG_CRYPTO_TEA --- a/redhat/configs/common/generic/CONFIG_CRYPTO_TEA +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_TEA @@ -1 +1 @@ -CONFIG_CRYPTO_TEA=m +# CONFIG_CRYPTO_TEA is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE @@ -0,0 +1 @@ +# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP @@ -0,0 +1 @@ +# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE +++ b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE diff a/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM4_ARM64_CE b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM4_ARM64_CE --- /dev/null +++ b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM4_ARM64_CE @@ -0,0 +1 @@ +# CONFIG_CRYPTO_SM4_ARM64_CE is not set diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM2 b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM2 --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM2 +++ /dev/null @@ -1,23 +0,0 @@ -# CONFIG_CRYPTO_SM2: -# -# Generic implementation of the SM2 public key algorithm. It was -# published by State Encryption Management Bureau, China. -# as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012. -# -# References: -# https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 -# http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml -# http://www.gmbz.org.cn/main/bzlb.html -# -# Symbol: CRYPTO_SM2 [=n] -# Type : tristate -# Defined at crypto/Kconfig:263 -# Prompt: SM2 algorithm -# Depends on: CRYPTO [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# Selects: CRYPTO_SM3 [=m] && CRYPTO_AKCIPHER [=y] && CRYPTO_MANAGER [=y] && MPILIB [=y] && ASN1 [=y] -# -# -# -CONFIG_CRYPTO_SM2=m diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE +++ /dev/null @@ -1,17 +0,0 @@ -# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE: -# -# Allow obsolete cryptographic algorithms to be selected that have -# already been phased out from internal use by the kernel, and are -# only useful for userspace clients that still rely on them. -# -# Symbol: CRYPTO_USER_API_ENABLE_OBSOLETE [=y] -# Type : bool -# Defined at crypto/Kconfig:1915 -# Prompt: Enable obsolete cryptographic algorithms for userspace -# Depends on: CRYPTO [=y] && CRYPTO_USER_API [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# -# -# -# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP b/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP +++ /dev/null @@ -1,19 +0,0 @@ -# CONFIG_CRYPTO_USER_API_RNG_CAVP: -# -# This option enables extra API for CAVP testing via the user-space -# interface: resetting of DRBG entropy, and providing Additional Data. -# This should only be enabled for CAVP testing. You should say -# no unless you know what this is. -# -# Symbol: CRYPTO_USER_API_RNG_CAVP [=n] -# Type : bool -# Defined at crypto/Kconfig:1895 -# Prompt: Enable CAVP testing of DRBG -# Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] && CRYPTO_DRBG [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# -> User-space interface for random number generator algorithms (CRYPTO_USER_API_RNG [=y]) -# -# -# -# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698
From: CKI Bot on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_49166314...
Testing pipeline status: Basic testing pipeline:
https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki- runs/external-pipelines/-/pipelines/245461862 - created :hourglass_flowing_sand:
From: Fedora Kernel Team kernel-team@fedoraproject.org
[redhat] New configs in crypto/Kconfig
Hi,
As part of the ongoing rebase effort, the following configuration options need to be reviewed.
As a reminder, the ARK configuration flow involves moving unreviewed configuration options from the pending directory to the ark directory. In the diff below, options are removed from the pending directory and added to the ark hierarchy. The final options that need to be ACKed are the files that are being added to the ark hierarchy.
If the value for a file that is added should be changed, please reply with a better option.
CONFIG_CRYPTO_SM2:
Generic implementation of the SM2 public key algorithm. It was published by State Encryption Management Bureau, China. as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012.
References: https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml http://www.gmbz.org.cn/main/bzlb.html
Symbol: CRYPTO_SM2 [=n] Type : tristate Defined at crypto/Kconfig:263 Prompt: SM2 algorithm Depends on: CRYPTO [=y] Location: -> Cryptographic API (CRYPTO [=y]) Selects: CRYPTO_SM3 [=n] && CRYPTO_AKCIPHER [=y] && CRYPTO_MANAGER [=y] && MPILIB [=y] && ASN1 [=y]
---
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE:
Allow obsolete cryptographic algorithms to be selected that have already been phased out from internal use by the kernel, and are only useful for userspace clients that still rely on them.
Symbol: CRYPTO_USER_API_ENABLE_OBSOLETE [=y] Type : bool Defined at crypto/Kconfig:1915 Prompt: Enable obsolete cryptographic algorithms for userspace Depends on: CRYPTO [=y] && CRYPTO_USER_API [=y] Location: -> Cryptographic API (CRYPTO [=y])
---
CONFIG_CRYPTO_USER_API_RNG_CAVP:
This option enables extra API for CAVP testing via the user-space interface: resetting of DRBG entropy, and providing Additional Data. This should only be enabled for CAVP testing. You should say no unless you know what this is.
Symbol: CRYPTO_USER_API_RNG_CAVP [=n] Type : bool Defined at crypto/Kconfig:1895 Prompt: Enable CAVP testing of DRBG Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] && CRYPTO_DRBG [=y] Location: -> Cryptographic API (CRYPTO [=y]) -> User-space interface for random number generator algorithms (CRYPTO_USER_API_RNG [=y])
---
Cc: Herbert Xu herbert.xu@redhat.com Cc: "David S. Miller" davem@redhat.com Cc: Ondrej Mosnacek omosnace@redhat.com Signed-off-by: Fedora Kernel Team kernel-team@fedoraproject.org
diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3 b/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3 --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3 +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_CRYPTO_SM3 is not set diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE b/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4_ARM64_CE +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CRYPTO_SM4_ARM64_CE=m diff a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE b/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE --- a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_CRYPTO_SM3_ARM64_CE is not set diff a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4 b/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4 --- a/redhat/configs/ark/generic/arm/aarch64/CONFIG_CRYPTO_SM4 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CRYPTO_SM4=m diff a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE --- /dev/null +++ b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE @@ -0,0 +1 @@ +CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y diff a/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS b/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS --- a/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_ANUBIS @@ -1 +1 @@ -CONFIG_CRYPTO_ANUBIS=m +# CONFIG_CRYPTO_ANUBIS is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 b/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 --- a/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_ARC4 @@ -1 +1 @@ -CONFIG_CRYPTO_ARC4=m +# CONFIG_CRYPTO_ARC4 is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD b/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD --- a/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_KHAZAD @@ -1 +1 @@ -CONFIG_CRYPTO_KHAZAD=m +# CONFIG_CRYPTO_KHAZAD is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_SEED b/redhat/configs/common/generic/CONFIG_CRYPTO_SEED --- a/redhat/configs/common/generic/CONFIG_CRYPTO_SEED +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SEED @@ -1 +1 @@ -CONFIG_CRYPTO_SEED=m +# CONFIG_CRYPTO_SEED is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 b/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SM2 @@ -0,0 +1 @@ +CONFIG_CRYPTO_SM2=m diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM3 b/redhat/configs/common/generic/CONFIG_CRYPTO_SM3 --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM3 +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SM3 diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4 b/redhat/configs/common/generic/CONFIG_CRYPTO_SM4 --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM4 +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_SM4 diff a/redhat/configs/common/generic/CONFIG_CRYPTO_TEA b/redhat/configs/common/generic/CONFIG_CRYPTO_TEA --- a/redhat/configs/common/generic/CONFIG_CRYPTO_TEA +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_TEA @@ -1 +1 @@ -CONFIG_CRYPTO_TEA=m +# CONFIG_CRYPTO_TEA is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE @@ -0,0 +1 @@ +# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set diff a/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP @@ -0,0 +1 @@ +# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set diff a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SM3_ARM64_CE +++ b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM3_ARM64_CE diff a/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM4_ARM64_CE b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM4_ARM64_CE --- /dev/null +++ b/redhat/configs/common/generic/arm/aarch64/CONFIG_CRYPTO_SM4_ARM64_CE @@ -0,0 +1 @@ +# CONFIG_CRYPTO_SM4_ARM64_CE is not set diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM2 b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM2 --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SM2 +++ /dev/null @@ -1,23 +0,0 @@ -# CONFIG_CRYPTO_SM2: -# -# Generic implementation of the SM2 public key algorithm. It was -# published by State Encryption Management Bureau, China. -# as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012. -# -# References: -# https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 -# http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml -# http://www.gmbz.org.cn/main/bzlb.html -# -# Symbol: CRYPTO_SM2 [=n] -# Type : tristate -# Defined at crypto/Kconfig:263 -# Prompt: SM2 algorithm -# Depends on: CRYPTO [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# Selects: CRYPTO_SM3 [=m] && CRYPTO_AKCIPHER [=y] && CRYPTO_MANAGER [=y] && MPILIB [=y] && ASN1 [=y] -# -# -# -CONFIG_CRYPTO_SM2=m diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE b/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE +++ /dev/null @@ -1,17 +0,0 @@ -# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE: -# -# Allow obsolete cryptographic algorithms to be selected that have -# already been phased out from internal use by the kernel, and are -# only useful for userspace clients that still rely on them. -# -# Symbol: CRYPTO_USER_API_ENABLE_OBSOLETE [=y] -# Type : bool -# Defined at crypto/Kconfig:1915 -# Prompt: Enable obsolete cryptographic algorithms for userspace -# Depends on: CRYPTO [=y] && CRYPTO_USER_API [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# -# -# -# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set diff a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP b/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_USER_API_RNG_CAVP +++ /dev/null @@ -1,19 +0,0 @@ -# CONFIG_CRYPTO_USER_API_RNG_CAVP: -# -# This option enables extra API for CAVP testing via the user-space -# interface: resetting of DRBG entropy, and providing Additional Data. -# This should only be enabled for CAVP testing. You should say -# no unless you know what this is. -# -# Symbol: CRYPTO_USER_API_RNG_CAVP [=n] -# Type : bool -# Defined at crypto/Kconfig:1895 -# Prompt: Enable CAVP testing of DRBG -# Depends on: CRYPTO [=y] && CRYPTO_USER_API_RNG [=y] && CRYPTO_DRBG [=y] -# Location: -# -> Cryptographic API (CRYPTO [=y]) -# -> User-space interface for random number generator algorithms (CRYPTO_USER_API_RNG [=y]) -# -# -# -# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698
From: CKI Bot on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_49166525...
Testing pipeline status: Basic testing pipeline:
https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki- runs/external-pipelines/-/pipelines/245463193 - created :hourglass_flowing_sand:
From: Patrick Talbert on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_49167321...
Hey Ondrej, Mark, Herbert,
I have pushed an update of this MR based upon the feedback. A lot of things moved around so please doublecheck the MR:
- CONFIG_CRYPTO_SM3=m is set. - CONFIG_CRYPTO_SM4 and CONFIG_CRYPTO_SM4_ARM64_CE are NOT set; they are left enabled as modules in fedora. - CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE and CONFIG_CRYPTO_{ANUBIS,ARC4,KHAZAD,SEED,TEA} are disabled everywhere EXCEPT they are all still enabled for s390x/zfcpdump. - CONFIG_CRYPTO_USER_API_RNG_CAVP is disabled everywhere.
@jmflinuxtx This will disable obsolete cryptographic algorithms for fedora as well. Currently they are enabled as modules. Let me know if this is not a change you want and I can enable them again specifically for fedora.
Thank you,
Patrick
From: Ondrej Mosnáček on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_53770468...
(Sorry for the late reply...)
CONFIG_CRYPTO_SM4 and CONFIG_CRYPTO_SM4_ARM64_CE are NOT set; they are
left enabled as modules in fedora.
I thought we wanted both SM3 and SM4 as =m?
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE and
CONFIG_CRYPTO_{ANUBIS,ARC4,KHAZAD,SEED,TEA} are disabled everywhere EXCEPT they are all still enabled for s390x/zfcpdump.
I would say these should be needed even less on `s390x/zfcpdump` - I presume all crypto options were just overriden from =m to =y to avoid issues with auto loading or something... But I don't know enough about zfcpdump to know for sure. @dzickusrh would you happen to know who is the right SME for the zfcpdump kernel?
From: Don Zickus on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_53798936...
@dhorak1 - can you comment on the above?
From: Daniel Horak on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_53801917...
We might want to double-check with Phillip (@prudo), he is our s390x kernel guy from IBM, but I believe it's safe to remove `CONFIG_CRYPTO_{ANUBIS,ARC4,KHAZAD,SEED,TEA}` from `s390x/zfcpdump`
On 3/25/21 12:10 PM, Daniel Horak (via Email Bridge) wrote:
From: Daniel Horak on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_53801917...
We might want to double-check with Phillip (@prudo), he is our s390x kernel guy from IBM, but I believe it's safe to remove `CONFIG_CRYPTO_{ANUBIS,ARC4,KHAZAD,SEED,TEA}` from `s390x/zfcpdump` _______________________________________________ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
From: Ondrej Mosnáček on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_53804952...
@dhorak1 Thanks! @prudo1 should be the right handle :) Phillip, can you please check if removing the legacy crypto alg configs from the zfcpdump kernel is OK?
From: Philipp Rudo on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_53863381...
I don't see a reason for keeping them for the zfcpdump kernel. It should be safe to remove them.
BTW, I guess having CONFIG_MODULES disabled for the zfcpdump kernel is the reason why they were overridden to =y.
From: Ondrej Mosnáček on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_55056021...
@ptalbert Could you please apply the requested changes? (i.e. disable the obsolete crypto algs also under zfcpdump and enable the SM4 configs as modules also in ARK)
If someone sees a reason to set them differently, please speak up :)
From: Patrick Talbert on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_55069497...
Sorry for the mix up.
Do we want SM2,3,4 enabled for zfcpdump builds? As pointed out by @prudo1 these have to be explicitly called out for s390x/zfsdump now that they are set as modules in common/generic.
I set them to enabled for V3:
v3: - CONFIG_CRYPTO_SM4 is set m. - CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE not defined for s390x/zfsdump. - CONFIG_CRYPTO_SM2,3,4 set to y for s390x/zfsdump. v2: - CONFIG_CRYPTO_SM3=m is set. - CONFIG_CRYPTO_SM4 and CONFIG_CRYPTO_SM4_ARM64_CE are NOT set; they are left enabled as modules in fedora. - CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE and CONFIG_CRYPTO_{ANUBIS,ARC4,KHAZAD,SEED,TEA} are disabled everywhere EXCEPT they are all still enabled for s390x/zfcpdump. - CONFIG_CRYPTO_USER_API_RNG_CAVP is disabled everywhere.
From: Mark Salter on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_55079514...
I think you also want to delete fedora/generic/arm/aarch64/CONFIG_CRYPTO_SM4_ARM64_CE it is already set =m by generic/arm/aarch64/CONFIG_CRYPTO_SM4_ARM64_CE.
From: Patrick Talbert on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/698#note_55161509...
Done.
kernel@lists.fedoraproject.org
-
cki-gitlab@redhat.com -
Daniel Horak (via Email Bridge)
-
Don Zickus (via Email Bridge)
-
GitLab Bridge on behalf of Herbert Xu
-
GitLab Bridge on behalf of jeremycline
-
Jeremy Cline (via Email Bridge)
-
Mark Salter -
Mark Salter (via Email Bridge)
-
Ondrej Mosnacek -
Ondrej Mosnáček (via Email Bridge)
-
Patrick Talbert (via Email Bridge)
-
Philipp Rudo (via Email Bridge)
-
Prarit Bhargava