Skip to content

Commit

Permalink
swtpm: Determine whether OpenSSL needs to be configured (FIPs, SHA1 s…
Browse files Browse the repository at this point in the history 
…ignature)

Get the list of enabled 'RuntimeAlgorithms' from libtpms and determine
whether any of these enabled algorithms is disabled in OpenSSL due to FIPS
mode. If FIPS mode on the host is enabled then disabled FIPS mode in
OpenSSL so that the TPM 2 can function properly.

The following algorithms are disabled when OpenSSL is in FIPS mode:
- camellia
- rsaes
- tdes
- ECC keys <224 bits

Per openssl-ciphers man page it should be possible to disable the following
algorithms use by cipher-suites:

- AES128, AES256, AES
- CAMELLIA128, CAMELLIA256, CAMELLIA
- 3DES
- SHA1, SHA, SHA256, SHA384
- CBC

WIP: It's not clear at what API level these are disabled. I have not been able
to use !SHA256 to disabled SHA256.

Also test whether signatures with SHA1 are working.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
  • Loading branch information
@stefanberger
stefanberger committed Aug 19, 2024
1 parent e3cdb5d commit 7995117
Show file tree
Hide file tree
Showing 6 changed files with 761 additions and 1 deletion.
2 changes: 2 additions & 0 deletions src/swtpm/Makefile.am
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ MY_LDFLAGS = @MY_LDFLAGS@

noinst_HEADERS = \
capabilities.h \
check_algos.h \
common.h \
ctrlchannel.h \
fips.h \
Expand Down Expand Up @@ -39,6 +40,7 @@ privlib_LTLIBRARIES = libswtpm_libtpms.la

libswtpm_libtpms_la_SOURCES = \
capabilities.c \
check_algos.c \
common.c \
ctrlchannel.c \
fips.c \
Expand Down
Loading

0 comments on commit 7995117

Please sign in to comment.