dmlb2000
commented
9 months ago Some info here...
The kernel builds just fine after changing some of the configs.
CRYPTO_MANAGER_DISABLE_TESTS=n (so enable the testing) CRYPTO_ANSI_CPRNG=y MODULE_SIG=y (even though there isn't really any modules for the kernel) CONFIG_CRYPTO_DRBG_MENU=y CONFIG_CRYPTO_DRBG_HMAC=y
Then FIPS shows up in the menuconfig for selection and you can hit
CONFIG_FIPS=y
The build works fine, but I'm still working through debugging why it's not booting...
beaudet
Is your feature request related to a problem? Please describe. The WSL kernel appears to be designed to prevent FIPS 140-2 enforcement.
Describe the solution you'd like The ability to turn on FIPS mode in the kernel using "fips=1" as with a standard Linux kernel.
Describe alternatives you've considered Merely including openssl-fips or other packages isn't enough to satisfy testing protocols. We work in software development for government systems and the ability to test our code on systems that will be like those we deploy on is a must. Without fips mode enabled on the kernel, WSL distros are unable to be setup like a deployment STIG'd environment for testing.
Additional context Federal Information Processing Standard (FIPS) 140-2 requires the use of certain validated algorithms for encryption and hashing. The standard Linux kernel enables enforcement of these algorithms through the "fips" kernel directive as long as CONFIG_CRYPTO_FIPS has been set to "y" during compilation. The WSL kernel does not include the fips directive and does not allow for CONFIG_CRYPTO_FIPS to be enabled during kernel compilation. We recently discovered a situation where our code ran fine on WSL, but was failing on a STIG'd Linux machine that we traced to FIPS enforcement.