2742be5903
In fips140.ko, enable the behavior that the upstream fips_enabled flag controls, such as the XTS weak key check which apparently is required. Note that some of this behavior, such as the DRBG continuity check, is allegedly not required. But to ensure we don't miss anything that was already handled upstream, it seems best to define fips_enabled to 1. We can still disable anything that turns out to be problematic. Bug: 153614920 Bug: 188620248 Change-Id: Idcded9e69e7d7cdf7f2937009af209857b0c08e2 Signed-off-by: Eric Biggers <ebiggers@google.com>
27 lines
514 B
C
27 lines
514 B
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _FIPS_H
|
|
#define _FIPS_H
|
|
|
|
#ifdef BUILD_FIPS140_KO
|
|
/*
|
|
* In fips140.ko, enable the behavior that the upstream fips_enabled flag
|
|
* controls, such as the XTS weak key check.
|
|
*/
|
|
#define fips_enabled 1
|
|
#define CONFIG_CRYPTO_FIPS 1
|
|
|
|
#elif defined(CONFIG_CRYPTO_FIPS)
|
|
extern int fips_enabled;
|
|
extern struct atomic_notifier_head fips_fail_notif_chain;
|
|
|
|
void fips_fail_notify(void);
|
|
|
|
#else
|
|
#define fips_enabled 0
|
|
|
|
static inline void fips_fail_notify(void) {}
|
|
|
|
#endif
|
|
|
|
#endif
|