From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Fri, 8 Jun 2018 11:38:34 +0000 (+0200)
Subject: fips: only install FIPS-compliant crypto modules
X-Git-Tag: 048~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cec0d04112b16723c52be0a82073f99d76e51f2b;p=thirdparty%2Fdracut.git

fips: only install FIPS-compliant crypto modules

Since the kernel doesn't allow using any non-FIPS-compliant crypto
algorithms, it doesn't make sense to install them. Even if they are
installed, tcrypt will not test them anyway.

Tested on Fedora 28 x86_64 by booting with fips=1 (with hand-patched
module-setup.sh).
---

diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 095480be3..f3af4d908 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -19,22 +19,15 @@ installkernel() {
         _fipsmodules=""
 
         # Hashes:
-        _fipsmodules+="md4 md5 sha1 sha224 sha256 sha384 sha512 michael_mic "
-        _fipsmodules+="crc32c crct10dif wp256 wp384 wp512 tgr128 tgr160 tgr192 "
-        _fipsmodules+="rmd128 rmd160 rmd256 rmd320 ghash sm3 "
+        _fipsmodules+="sha1 sha224 sha256 sha384 sha512 "
         _fipsmodules+="sha3-224 sha3-256 sha3-384 sha3-512 "
+        _fipsmodules+="crc32c crct10dif ghash "
 
         # Ciphers:
-        _fipsmodules+="cipher_null des des3_ede blowfish twofish serpent aes "
-        _fipsmodules+="cast5 cast6 tea xtea khazad tnepres anubis xeta fcrypt "
-        _fipsmodules+="camellia seed sm4 "
-
-        # Block/stream ciphers:
-        _fipsmodules+="arc4 salsa20 "
+        _fipsmodules+="cipher_null des3_ede aes "
 
         # Modes/templates:
-        _fipsmodules+="ecb cbc ctr lrw xts pcbc xcbc gcm ccm cts authenc "
-        _fipsmodules+="hmac vmac cmac "
+        _fipsmodules+="ecb cbc ctr xts gcm ccm authenc hmac cmac "
 
         # Compression algs:
         _fipsmodules+="deflate lzo zlib "