From: David Howells <dhowells@redhat.com>
Subject: FIPS-mode panic? (was Re: [PULL] modules)
Date: Mon, 15 Oct 2012 08:50:54 +0100
Message-ID: <15269.1350287454@warthog.procyon.org.uk>
References: <CA+55aFyVcTT4tKTVvhzXz3t4uw=MDLU00NAAOacWt6i3xovERg@mail.gmail.com> <87fw5m7ipz.fsf@rustcorp.com.au> <CA+55aFyGuy8P4Uaanmv7DncjsN6cvQxvWrrMKKnF=67J+BkshQ@mail.gmail.com>
Cc: dhowells@redhat.com, Rusty Russell <rusty@rustcorp.com.au>,
	LKML <linux-kernel@vger.kernel.org>,
	Alex Lyashkov <umka@cloudlinux.com>,
	Arnd Bergmann <arnd@arndb.com>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	"David S. Miller" <davem@davemloft.net>,
	Dmitry Kasatkin <dmitry.kasatkin@intel.com>,
	Herbert Xu <herbert@gondor.hengli.com.au>,
	Josh Boyer <jwboyer@redhat.com>, linux-crypto@vger.kernel.org,
	Lucas De Marchi <lucas.demarchi@profusion.mobi>,
	Matthew Garrett <mjg59@srcf.ucam.org>,
	Milan Broz <mbroz@redhat.com>,
	Ralf Baechle <ralf@linux-mips.org>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Sam Ravnborg <sam@ravnborg.org>
To: Linus Torvalds <torvalds@linux-foundation.org>,
	Stephan Mueller <stephan.mueller@atsec.com>
In-Reply-To: <CA+55aFyVcTT4tKTVvhzXz3t4uw=MDLU00NAAOacWt6i3xovERg@mail.gmail.com>
Sender: linux-crypto-owner@vger.kernel.org

Linus Torvalds <torvalds@linux-foundation.org> wrote:

> Hmm. So this thing makes me wonder:
> 
>         /* Not having a signature is only an error if we're strict. */
>         if (err < 0 && fips_enabled)
>                 panic("Module verification failed with error %d in FIPS mode\n",
>                       err);
> 
> do we really want to panic (even in fips_enabled mode)?

That's what the FIPS people want.  As I understand it, if there's some
indication that the crypto stuff is compromised, the box should be shut down
immediately.

I've added Stephan Mueller to see if he can illuminate further.

David