Project

General

Profile

Bug #6

Need open kcfd

Added by Garrett D'Amore over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
High
Category:
-
Start date:
2010-07-30
Due date:
% Done:

80%

Estimated time:
Difficulty:
Tags:

Description

We need a kcfd subsystem to replace the closed ones.

Mostly kcfd offers threads to the kcf kernel module in a fashion very similar to nfsd. It also does module signing.

It may be possible to elide the module signing.

History

#1

Updated by Rich Lowe over 9 years ago

Module signing is used both for export control purposes, and as of fairly recently, as part of the FIPS-140 implementation.
I'd expect the reason to care to be FIPS-140.

If kcfd is implemented without the ability to verify modules, likely the FIPS-140 bits should be removed.

#2

Updated by Jason King over 9 years ago

Dumb question, but wouldn't we want to keep the ability to sign modules? I would think a distro might want the ability to sign the stuff they build.

#3

Updated by Rich Lowe over 9 years ago

Jason King wrote:

Dumb question, but wouldn't we want to keep the ability to sign modules? I would think a distro might want the ability to sign the stuff they build.

Without the Validated Execution project, the "module signing" part here is the verification of the signature on crypto modules for export compliance, not related to actually signing them, or validating them with 'elfsign verify'. It only matters to people who need to close the hole in 'crypto with a hole', or implement strict FIPS-140, right now.

#4

Updated by Garrett D'Amore over 9 years ago

  • Assignee set to Garrett D'Amore
  • % Done changed from 0 to 80

So as part of this, we're yanking FIPS 140 support.

A webrev is here: http://mexico.purplecow.org/gdamore/webrev/nofips/

Hopefully this will be integrating soon.

#5

Updated by Garrett D'Amore over 9 years ago

  • Status changed from New to Resolved

This is now integrated. Enjoy.

Also available in: Atom PDF