Skip to content

configs: Ensure FIPS settings defined #446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 29, 2025
Merged

configs: Ensure FIPS settings defined #446

merged 1 commit into from
Jul 29, 2025

Conversation

PlaidCat
Copy link
Collaborator

We want to hard set the x86_64 FIPS required configs rather than rely on default settings in the kernel, should these ever change without our knowing it would not be something we would have actively checked.

The configs are a limited set of configs that is expanded out when building using make olddefconfig a common practice in kernel building.

Based off this change to the dist-git
https://gitlab.com/ctrl-iq-public/fips/src/kernel/-/merge_requests/56/diffs?commit_id=f3be0b8417671ab3f748a31c543516103ca0c487

@PlaidCat PlaidCat self-assigned this Jul 29, 2025
jason-rodri
jason-rodri reviewed Jul 29, 2025
View reviewed changes
jason-rodri
jason-rodri reviewed Jul 29, 2025
View reviewed changes
jason-rodri
jason-rodri reviewed Jul 29, 2025
View reviewed changes
@PlaidCat
configs: Ensure FIPS settings defined
86585f6 
We want to hard set the x86_64 FIPS required configs rather than rely on
default settings in the kernel, should these ever change without our
knowing it would not be something we would have actively checked.

The configs are a limited set of configs that is expanded out when
building using `make olddefconfig` a common practice in kernel building.

Note had to manually add the following since its normaly set by the RPM
build process.
CONFIG_CRYPTO_FIPS_NAME="Rocky Linux 9 Kernel Cryptographic API"
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-9-compliant/5.14.0-570.25.1.el9_6 branch from 75530fe to 86585f6 Compare July 29, 2025 16:30
bmastbergen
bmastbergen approved these changes Jul 29, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

kerneltoast
kerneltoast approved these changes Jul 29, 2025
View reviewed changes
Copy link

@kerneltoast kerneltoast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RNG bits are correct. I am a simple man, I see CONFIG_CRYPTO_DRBG=y (not =m) and CONFIG_CRYPTO_FIPS=y, I approve. 🥌

@PlaidCat PlaidCat merged commit 5d9b732 into fips-9-compliant/5.14.0-570.25.1.el9_6 Jul 29, 2025
4 checks passed
@PlaidCat PlaidCat deleted the {jmaple}_fips-9-compliant/5.14.0-570.25.1.el9_6 branch July 29, 2025 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kerneltoast kerneltoast kerneltoast approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@jason-rodri jason-rodri jason-rodri approved these changes

@jainanmol84 jainanmol84 Awaiting requested review from jainanmol84

@jallisonciq jallisonciq Awaiting requested review from jallisonciq

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

Assignees

@PlaidCat PlaidCat

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@PlaidCat @kerneltoast @bmastbergen @jason-rodri