On 05/13/09 09:51, Hai-May Chao wrote: > Anthony Scarpino wrote: >> Krishna Yenduri wrote: >>> >>> KY-7 kcf section and the next section >>> >>> See KY-5. Some of the kernel modules (e.g. sha1) are loaded by the time >>> kcfd starts since they are needed very early on during boot. So, you >>> will >>> need some other mechanism to do POST checks on them. >> >> If they are accessing the module directly, that is outside the >> boundary. We are validating the Crypto Framework as defined by the >> usage via the APIs.. The same situation you describe holds true to >> libmd. If FIPS has failed, we cannot stop someone from accessing >> libmd, we only prevent the use of PKCS#11 interfaces via >> pkcs11_softtoken.. That's will be part of the Security Policy.. >> > > Krishna, > > You meant kcf module could be loaded and in use before cryptosvc has > begun, right?
Yes. > as some module depends on kcf. For the case of > random_get_pseudo_bytes(), it would > be called before kcfd. If true, we could always do POST at > initialization of a module > for that. OK. Note though that you don't know if FIPS mode is set at that time. I guess you can do the test all the time, if it is a cheap operation or find a way to get the FIPS mode setting value earlier. -Krishna
