This patch series implements FIPS 140-3 compliance requirements for random
number generation in the Linux kernel 6.12 stable. The changes ensure that
when the kernel is operating in FIPS mode, FIPS-compliant random number
generators from the Crypto API are used to override the default
/dev/random implementation.
The series consists of two patches:
1. "random: Add hook to override device reads and getrandom(2)" - This patch
introduces the infrastructure to allow external RNGs to override the
default random number generation. Originally authored by Herbert Xu, this has
been adapted for kernel 6.12.
2. "crypto: rng - Override drivers/char/random only after FIPS RNGs available" -
This patch implements the actual FIPS mode override using a workqueue-based
approach to ensure proper initialization timing. It addresses timing issues
in a previous commit "crypto: rng - Override drivers/char/random only after
FIPS RNGs available" where the crypto RNG would attempt to override before
dependencies were ready, preventing potential boot failures.
These patches are required for FIPS 140-3 certification and compliance in
government and enterprise environments where cryptographic standards must
be strictly enforced.
Herbert Xu (1):
random: Add hook to override device reads and getrandom(2)
Jay Wang (1):
crypto: rng - Override drivers/char/random only after FIPS RNGs
available
crypto/rng.c | 92 +++++++++++++++++++++++++++++++++
drivers/char/random.c | 114 +++++++++++++++++++++++++++++++++++++++++
include/linux/random.h | 7 +++
3 files changed, 213 insertions(+)
--
2.47.1
