Re: [PATCH v2] Documentation: crypto: add info about "fips=" boot option
From: Randy Dunlap
Date: Tue Mar 30 2021 - 12:39:40 EST
On 3/29/21 10:29 PM, Eric Biggers wrote:
> On Mon, Mar 29, 2021 at 10:06:51PM -0700, Randy Dunlap wrote:
>> Having just seen a report of using "fips=1" on the kernel command line,
>> I could not find it documented anywhere, so add some help for it.
>>
>> Signed-off-by: Randy Dunlap <rdunlap@xxxxxxxxxxxxx>
>> Cc: Dexuan Cui <decui@xxxxxxxxxxxxx>
>> Cc: linux-crypto@xxxxxxxxxxxxxxx
>> Cc: Eric Biggers <ebiggers@xxxxxxxxxx>
>> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
>> Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
>> Cc: Jonathan Corbet <corbet@xxxxxxx>
>> Cc: linux-doc@xxxxxxxxxxxxxxx
>> ---
>> Updates/corrections welcome.
>>
>> v2: drop comment that "fips_enabled can cause some tests to be skipped".
>>
>> Documentation/admin-guide/kernel-parameters.txt | 14 ++++++++++++++
>> 1 file changed, 14 insertions(+)
>>
>> --- linux-next-20210329.orig/Documentation/admin-guide/kernel-parameters.txt
>> +++ linux-next-20210329/Documentation/admin-guide/kernel-parameters.txt
>> @@ -1370,6 +1370,20 @@
>> See Documentation/admin-guide/sysctl/net.rst for
>> fb_tunnels_only_for_init_ns
>>
>> + fips= Format: { 0 | 1}
>> + Use to disable (0) or enable (1) FIPS mode.
>> + If enabled, any process that is waiting on the
>> + 'fips_fail_notif_chain' will be notified of fips
>> + failures.
>> + This setting can also be modified via sysctl at
>> + /proc/sysctl/crypto/fips_enabled, i.e.,
>> + crypto.fips_enabled.
>> + If fips_enabled = 1 and a test fails, it will cause a
>> + kernel panic.
>> + If fips_enabled = 1, RSA test requires a key size of
>> + 2K or larger.
>> + It can also effect which ECC curve is used.
>
> This doesn't really explain why anyone would want to give this option.
> What high-level thing is this option meant to be accomplishing?
> That's what the documentation should explain.
Yes, clearly, even to me.
But I could not find anything in the kernel source tree that would help me
explain that. So to repeat:
>> Updates/corrections welcome.
thanks.
--
~Randy