Improvements merged into Linux 5.19 yesterday make the kernel’s signature verification code FIPS compliant. In order to comply with FIPS (Federal Information Processing Standard), the operating system needs to perform self-testing work. FIPS is a public standard through NIST used by U.S. government agencies and contractors in the field of computer security and interoperability.
FIPS140 for Cryptography outlines requirements around self-tests that implement known-answer self-tests at boot/reboot time to be FIPS-compliant, but the Linux kernel’s signature verification code has been lacking such tests.
Signature checking code is used for module signing, Kexec, and other features, and with the introduction of Linux 5.19, the OS now does some basic self-testing at boot. Red Hat’s David Howells explained: “Signature checking code used by module signing, Kexec, etc. is not FIPS compliant because no self-testing process has ever been deployed.
In order for a kernel to be FIPS compliant, signature checking must be performed before use Tests, if signature checking is not available, can cause some trouble in certain cases (eg simply disabling signature checking will prevent any driver modules from being loaded). The kernel code now handles this by adding a minimal size test.”
This FIPS cryptography support was merged into the Linux mainline yesterday, making this FIPS self-test part of Linux 5.19-rc4.
If you like our news and you want to be the first to get notifications of the latest news, then follow us on Twitter and Facebook page and join our Telegram channel. Also, you can follow us on Google News for regular updates.