This patch series implements FIPS 140-3 compliance requirements for random number generation in the Linux kernel 6.12. The changes ensure that when the kernel is operating in FIPS mode, FIPS-compliant random number generators are used instead of the default /dev/random implementation.
IMPORTANT: These two patches must be applied together as a series. Applying only the first patch without the second will cause a deadlock during boot in FIPS-enabled environments. The second patch fixes a critical timing issue introduced by the first patch where the crypto RNG attempts to override the drivers/char/random interface before the default RNG becomes available.
The series consists of two patches: 1. Initial implementation to override drivers/char/random in FIPS mode 2. Refinement to ensure override only occurs after FIPS-mode RNGs are available
These 2 patches are required for FIPS 140-3 certification and compliance in government and enterprise environments.
Herbert Xu (1): crypto: rng - Override drivers/char/random in FIPS mode
Jay Wang (1): Override drivers/char/random only after FIPS-mode RNGs become available
crypto/rng.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+)
From: Herbert Xu herbert.xu@redhat.com
Upstream: RHEL only Bugzilla: 1984784
This patch overrides the drivers/char/random RNGs with the FIPS RNG from Crypto API when FIPS mode is enabled.
Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu herbert.xu@redhat.com (cherry picked from commit 37e0042aaf43d4494bcbea2113605366d0fe6187) Signed-off-by: Samuel Mendoza-Jonas samjonas@amazon.com [6.12: Resolve minor merge conflicts] Signed-off-by: Elena Avila ellavila@amazon.com --- crypto/rng.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+)
diff --git a/crypto/rng.c b/crypto/rng.c index 9d8804e46422..cdba806846e2 100644 --- a/crypto/rng.c +++ b/crypto/rng.c @@ -12,11 +12,14 @@ #include <linux/atomic.h> #include <linux/cryptouser.h> #include <linux/err.h> +#include <linux/fips.h> #include <linux/kernel.h> #include <linux/module.h> #include <linux/mutex.h> #include <linux/random.h> #include <linux/seq_file.h> +#include <linux/sched.h> +#include <linux/sched/signal.h> #include <linux/slab.h> #include <linux/string.h> #include <net/netlink.h> @@ -217,5 +220,73 @@ void crypto_unregister_rngs(struct rng_alg *algs, int count) } EXPORT_SYMBOL_GPL(crypto_unregister_rngs);
+static ssize_t crypto_devrandom_read(void __user *buf, size_t buflen) +{ + u8 tmp[256]; + ssize_t ret; + + if (!buflen) + return 0; + + ret = crypto_get_default_rng(); + if (ret) + return ret; + + for (;;) { + int err; + int i; + + i = min_t(int, buflen, sizeof(tmp)); + err = crypto_rng_get_bytes(crypto_default_rng, tmp, i); + if (err) { + ret = err; + break; + } + + if (copy_to_user(buf, tmp, i)) { + ret = -EFAULT; + break; + } + + buflen -= i; + buf += i; + ret += i; + + if (!buflen) + break; + + if (need_resched()) { + if (signal_pending(current)) + break; + schedule(); + } + } + + crypto_put_default_rng(); + memzero_explicit(tmp, sizeof(tmp)); + + return ret; +} + +static const struct random_extrng crypto_devrandom_rng = { + .extrng_read = crypto_devrandom_read, + .owner = THIS_MODULE, +}; + +static int __init crypto_rng_init(void) +{ + if (fips_enabled) + random_register_extrng(&crypto_devrandom_rng); + return 0; +} + +static void __exit crypto_rng_exit(void) +{ + random_unregister_extrng(); +} + +late_initcall(crypto_rng_init); +module_exit(crypto_rng_exit); + MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("Random Number Generator");
On Sat, Jun 28, 2025 at 04:29:17AM +0000, Jay Wang wrote:
From: Herbert Xu herbert.xu@redhat.com
Upstream: RHEL only Bugzilla: 1984784
This patch overrides the drivers/char/random RNGs with the FIPS RNG from Crypto API when FIPS mode is enabled.
Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu herbert.xu@redhat.com (cherry picked from commit 37e0042aaf43d4494bcbea2113605366d0fe6187)
This id is not in Linus's tree, so why is this here?
Are you sure you ment to send this series out? Have you read the stable kernel rules?
confused,
greg k-h
Hi Jay,
kernel test robot noticed the following build errors:
[auto build test ERROR on herbert-cryptodev-2.6/master] [also build test ERROR on herbert-crypto-2.6/master linus/master v6.16-rc3 next-20250627] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Jay-Wang/crypto-rng-Override-... base: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master patch link: https://lore.kernel.org/r/20250628042918.32253-2-wanjay%40amazon.com patch subject: [PATCH 1/2] crypto: rng - Override drivers/char/random in FIPS mode config: x86_64-buildonly-randconfig-001-20250628 (https://download.01.org/0day-ci/archive/20250628/202506282235.pPmU7tOj-lkp@i...) compiler: gcc-12 (Debian 12.2.0-14+deb12u1) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250628/202506282235.pPmU7tOj-lkp@i...)
If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot lkp@intel.com | Closes: https://lore.kernel.org/oe-kbuild-all/202506282235.pPmU7tOj-lkp@intel.com/
All error/warnings (new ones prefixed by >>):
crypto/rng.c:272:21: error: variable 'crypto_devrandom_rng' has initializer but incomplete type
272 | static const struct random_extrng crypto_devrandom_rng = { | ^~~~~~~~~~~~~
crypto/rng.c:273:10: error: 'const struct random_extrng' has no member named 'extrng_read'
273 | .extrng_read = crypto_devrandom_read, | ^~~~~~~~~~~
crypto/rng.c:273:24: warning: excess elements in struct initializer
273 | .extrng_read = crypto_devrandom_read, | ^~~~~~~~~~~~~~~~~~~~~ crypto/rng.c:273:24: note: (near initialization for 'crypto_devrandom_rng')
crypto/rng.c:274:10: error: 'const struct random_extrng' has no member named 'owner'
274 | .owner = THIS_MODULE, | ^~~~~ In file included from include/linux/printk.h:6, from include/asm-generic/bug.h:22, from arch/x86/include/asm/bug.h:103, from arch/x86/include/asm/alternative.h:9, from arch/x86/include/asm/barrier.h:5, from include/linux/list.h:11, from include/linux/swait.h:5, from include/linux/completion.h:12, from include/linux/crypto.h:15, from include/crypto/algapi.h:13, from include/crypto/internal/rng.h:12, from crypto/rng.c:11: include/linux/init.h:182:21: warning: excess elements in struct initializer 182 | #define THIS_MODULE ((struct module *)0) | ^ crypto/rng.c:274:18: note: in expansion of macro 'THIS_MODULE' 274 | .owner = THIS_MODULE, | ^~~~~~~~~~~ include/linux/init.h:182:21: note: (near initialization for 'crypto_devrandom_rng') 182 | #define THIS_MODULE ((struct module *)0) | ^ crypto/rng.c:274:18: note: in expansion of macro 'THIS_MODULE' 274 | .owner = THIS_MODULE, | ^~~~~~~~~~~ crypto/rng.c: In function 'crypto_rng_init':
crypto/rng.c:280:17: error: implicit declaration of function 'random_register_extrng'; did you mean 'crypto_register_rng'? [-Werror=implicit-function-declaration]
280 | random_register_extrng(&crypto_devrandom_rng); | ^~~~~~~~~~~~~~~~~~~~~~ | crypto_register_rng crypto/rng.c: In function 'crypto_rng_exit':
crypto/rng.c:286:9: error: implicit declaration of function 'random_unregister_extrng'; did you mean 'crypto_unregister_rng'? [-Werror=implicit-function-declaration]
286 | random_unregister_extrng(); | ^~~~~~~~~~~~~~~~~~~~~~~~ | crypto_unregister_rng crypto/rng.c: At top level:
crypto/rng.c:272:35: error: storage size of 'crypto_devrandom_rng' isn't known
272 | static const struct random_extrng crypto_devrandom_rng = { | ^~~~~~~~~~~~~~~~~~~~ cc1: some warnings being treated as errors
vim +/crypto_devrandom_rng +272 crypto/rng.c
271
272 static const struct random_extrng crypto_devrandom_rng = { 273 .extrng_read = crypto_devrandom_read, 274 .owner = THIS_MODULE,
275 }; 276 277 static int __init crypto_rng_init(void) 278 { 279 if (fips_enabled)
280 random_register_extrng(&crypto_devrandom_rng);
281 return 0; 282 } 283 284 static void __exit crypto_rng_exit(void) 285 {
286 random_unregister_extrng();
287 } 288
This commit fixes a timing issue introduced in the previous commit "crypto: rng - Override drivers/char/random in FIPS mode" where the crypto RNG was attempting to override the drivers/char/random interface before the default RNG became available. The previous implementation would immediately register the external RNG during module initialization, which could fail if the default RNG wasn't ready.
Changes: - Introduce workqueue-based initialization for FIPS mode - Add crypto_rng_register_work_func() to wait for default RNG availability - Move random_register_extrng() call to the work function with proper error handling
This ensures the crypto ext RNG is properly registered only after all dependencies are satisfied, preventing potential boot failures in FIPS-enabled environments.
Cc: stable@vger.kernel.org Signed-off-by: Jay Wang wanjay@amazon.com --- crypto/rng.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/crypto/rng.c b/crypto/rng.c index cdba806846e2..250166d67fd0 100644 --- a/crypto/rng.c +++ b/crypto/rng.c @@ -22,6 +22,7 @@ #include <linux/sched/signal.h> #include <linux/slab.h> #include <linux/string.h> +#include <linux/workqueue.h> #include <net/netlink.h>
#include "internal.h" @@ -273,15 +274,35 @@ static const struct random_extrng crypto_devrandom_rng = { .owner = THIS_MODULE, };
+static struct work_struct crypto_rng_register_work; + +static void crypto_rng_register_work_func(struct work_struct *work) +{ + /* Wait until default rng becomes avaiable, then + Overwrite the extrng. + */ + int ret = crypto_get_default_rng(); + if (ret){ + printk(KERN_ERR "crypto_rng: Failed to get default RNG (error %d)\n", ret); + return; + } + printk(KERN_INFO "Overwrite extrng\n"); + random_register_extrng(&crypto_devrandom_rng); +} + static int __init crypto_rng_init(void) { - if (fips_enabled) - random_register_extrng(&crypto_devrandom_rng); + if (fips_enabled) { + INIT_WORK(&crypto_rng_register_work, crypto_rng_register_work_func); + schedule_work(&crypto_rng_register_work); + } + return 0; }
static void __exit crypto_rng_exit(void) { + cancel_work_sync(&crypto_rng_register_work); random_unregister_extrng(); }
On Sat, Jun 28, 2025 at 04:29:18AM +0000, Jay Wang wrote:
This commit fixes a timing issue introduced in the previous commit "crypto: rng - Override drivers/char/random in FIPS mode" where the crypto RNG was attempting to override the drivers/char/random interface before the default RNG became available. The previous implementation would immediately register the external RNG during module initialization, which could fail if the default RNG wasn't ready.
Why isn't this just part of the previous commit so that there is no regression anywhere?
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Jay Wang -
kernel test robot