fips: only install FIPS-compliant crypto modules

Since the kernel doesn't allow using any non-FIPS-compliant crypto
algorithms, it doesn't make sense to install them. Even if they are
installed, tcrypt will not test them anyway.

Tested on Fedora 28 x86_64 by booting with fips=1 (with hand-patched
module-setup.sh).

diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 095480be38a14e3f4edf274e16dc1fcd727789a9..f3af4d90878b192a2c83103e2db723bae2c8c21b 100755 (executable)
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -19,22 +19,15 @@ installkernel() {
         _fipsmodules=""
 
         # Hashes:
-        _fipsmodules+="md4 md5 sha1 sha224 sha256 sha384 sha512 michael_mic "
-        _fipsmodules+="crc32c crct10dif wp256 wp384 wp512 tgr128 tgr160 tgr192 "
-        _fipsmodules+="rmd128 rmd160 rmd256 rmd320 ghash sm3 "
+        _fipsmodules+="sha1 sha224 sha256 sha384 sha512 "
         _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 "
+        _fipsmodules+="crc32c crct10dif ghash "
 
         # Ciphers:
-        _fipsmodules+="cipher_null des des3_ede blowfish twofish serpent aes "
-        _fipsmodules+="cast5 cast6 tea xtea khazad tnepres anubis xeta fcrypt "
-        _fipsmodules+="camellia seed sm4 "
-
-        # Block/stream ciphers:
-        _fipsmodules+="arc4 salsa20 "
+        _fipsmodules+="cipher_null des3_ede aes "
 
         # Modes/templates:
-        _fipsmodules+="ecb cbc ctr lrw xts pcbc xcbc gcm ccm cts authenc "
-        _fipsmodules+="hmac vmac cmac "
+        _fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac "
 
         # Compression algs:
         _fipsmodules+="deflate lzo zlib "