Thread (21 messages) 21 messages, 7 authors, 2017-09-20

[kernel-hardening] Re: [PATCH v4] security/keys: rewrite all of big_key crypto

From: gregkh@linuxfoundation.org (Greg KH)
Date: 2017-09-18 09:04:47
Also in: keyrings, lkml, stable

On Mon, Sep 18, 2017 at 10:49:56AM +0200, Stephan Mueller wrote:
Am Samstag, 16. September 2017, 15:00:34 CEST schrieb Jason A. Donenfeld:

Hi Jason,
quoted
This started out as just replacing the use of crypto/rng with
get_random_bytes_wait, 
This change is a challenge. The use of the kernel crypto API's DRNG has been 
made to allow FIPS 140-2 compliance. Otherwise, the entire key generation 
logic will not be using the right(TM) DRNG. Thus, I would not suggest to 
replace that for a stable tree.
Why not?  What is the issue here, there is only one "DRNG" in the kernel
now (and probably for a long time...)
Note, I am currently working on a pluggable DRNG apporach for /dev/random and 
/dev/urandom to be able to get rid of the use of the kernel crypto API's DRNG 
API. It is ready and I will air that solution shortly. Yet, it needs work to 
be integrated upstream (and approval from Ted Tso).
We don't postpone work for potential future patches that might or might
not ever happen or get merged.  That's how NetBSD died...

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help