Override drivers/char/random RNGs with the FIPS RNG - Required for FIPS certification

dassanjib

Hello experts,

3 years back, RHEL FIPS certification effort ran into an show-stopper with
/dev/urandom and getrandom(2) not being FIPS-compliant. They came up with a patch to override random with FIPS RNG in FIPS mode.

https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1304

https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1304/diffs?commit_id=77f4d04971afd67990d04174c971a74bd2bd1fc9#53386255719f326b6cb16a12824e9a6ba3b17651

May I request some additional information about this.

(a) Is this patch applicable to only RHEL or are other flavors also require this to secure FIPS certification successfully?

Regardless of above query, I just tried to patch this on vanilla 5.10.209 kernel (kernel.org), but I found context mismatch. Lines surrounding the new changes donot match with the current state of the file (example, drivers/char/random.c). New/different APIs are used in file_operations structure function pointer initialization (just an example).

(b) Is there any patch available for kernel 5.10.209? If the answer is NO, is it safe to patch manually in 5.10.209 kernel (assuming the issue is common across all linux flavors)?

(c) Can we achieve this through available linux configuration (5.10.209)?

Thanking you in advance. Apologies, if I missed any required formatting.
Sanjib