From: Hangbin Liu haliu@redhat.com
wireguard: disable in FIPS mode
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1940794 Upstream: RHEL Only
As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not FIPS certified, the WireGuard module should be disabled in FIPS mode.
Signed-off-by: Hangbin Liu haliu@redhat.com
diff a/drivers/net/wireguard/main.c b/drivers/net/wireguard/main.c --- a/drivers/net/wireguard/main.c +++ b/drivers/net/wireguard/main.c @@ -12,6 +12,7 @@
#include <uapi/linux/wireguard.h>
+#include <linux/fips.h> #include <linux/init.h> #include <linux/module.h> #include <linux/genetlink.h> @@ -21,6 +22,11 @@ static int __init mod_init(void) { int ret;
+#ifdef CONFIG_RHEL_DIFFERENCES + if (fips_enabled) + return -EPERM; +#endif + #ifdef DEBUG if (!wg_allowedips_selftest() || !wg_packet_counter_selftest() || !wg_ratelimiter_selftest())
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/994
From: Hangbin Liu on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/994#note_54308821...
@jbencrh @sdubroca @marcelo.leitner would you please help review? Thanks!
From: Marcelo Ricardo Leitner on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/994#note_54335170...
Considering this will be visible to the user that tries to load the module, EPERM can be misleading. It can mean that a SELinux policy is blocking it (EPERM and EACCES are used there AFAIK), for example. What about using -EOPNOTSUPP?
From: Hangbin Liu on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/994#note_54643329...
@marcelo.leitner Sorry, I set the notification to only mentioned. I have updated the patch. Please help review.
kernel@lists.fedoraproject.org
-
Hangbin Liu (via Email Bridge) -
Marcelo Ricardo Leitner (via Email Bridge)