Bug #6
closed
Need open kcfd
80%
Description
We need a kcfd subsystem to replace the closed ones.
Mostly kcfd offers threads to the kcf kernel module in a fashion very similar to nfsd. It also does module signing.
It may be possible to elide the module signing.
Updated by Rich Lowe about 13 years ago
Module signing is used both for export control purposes, and as of fairly recently, as part of the FIPS-140 implementation.
I'd expect the reason to care to be FIPS-140.
If kcfd is implemented without the ability to verify modules, likely the FIPS-140 bits should be removed.
Updated by Jason King about 13 years ago
Dumb question, but wouldn't we want to keep the ability to sign modules? I would think a distro might want the ability to sign the stuff they build.
Updated by Rich Lowe about 13 years ago
Jason King wrote:
Dumb question, but wouldn't we want to keep the ability to sign modules? I would think a distro might want the ability to sign the stuff they build.
Without the Validated Execution project, the "module signing" part here is the verification of the signature on crypto modules for export compliance, not related to actually signing them, or validating them with 'elfsign verify'. It only matters to people who need to close the hole in 'crypto with a hole', or implement strict FIPS-140, right now.
Updated by Garrett D'Amore about 13 years ago
- Assignee set to Garrett D'Amore
- % Done changed from 0 to 80
So as part of this, we're yanking FIPS 140 support.
A webrev is here: http://mexico.purplecow.org/gdamore/webrev/nofips/
Hopefully this will be integrating soon.
Updated by Garrett D'Amore about 13 years ago
- Status changed from New to Resolved
This is now integrated. Enjoy.