diff options
| author | Antony Antony <antony.antony@secunet.com> | 2020-11-17 17:47:23 +0100 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2020-11-27 11:03:06 +0100 |
| commit | c7a5899eb26e2a4d516d53f65b6dd67be2228041 (patch) | |
| tree | 3c57c631ca926f27378b28bc9fa2a6f6d81476c8 /net/ife | |
| parent | 8be33ecfc1ffd2da20cc29e957e4cb6eb99310cb (diff) | |
| download | linux-stable-c7a5899eb26e2a4d516d53f65b6dd67be2228041.tar.gz linux-stable-c7a5899eb26e2a4d516d53f65b6dd67be2228041.tar.bz2 linux-stable-c7a5899eb26e2a4d516d53f65b6dd67be2228041.zip | |
xfrm: redact SA secret with lockdown confidentiality
redact XFRM SA secret in the netlink response to xfrm_get_sa()
or dumpall sa.
Enable lockdown, confidentiality mode, at boot or at run time.
e.g. when enabled:
cat /sys/kernel/security/lockdown
none integrity [confidentiality]
ip xfrm state
src 172.16.1.200 dst 172.16.1.100
proto esp spi 0x00000002 reqid 2 mode tunnel
replay-window 0
aead rfc4106(gcm(aes)) 0x0000000000000000000000000000000000000000 96
note: the aead secret is redacted.
Redacting secret is also a FIPS 140-2 requirement.
v1->v2
- add size checks before memset calls
v2->v3
- replace spaces with tabs for consistency
v3->v4
- use kernel lockdown instead of a /proc setting
v4->v5
- remove kconfig option
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/ife')
0 files changed, 0 insertions, 0 deletions