On Tue, Jul 28, 2020 at 05:47:30PM +0200, Antony Antony wrote: > when enabled, 1, redact XFRM SA secret in the netlink response to > xfrm_get_sa() or dump all sa. > > e.g > echo 1 > /proc/sys/net/core/xfrm_redact_secret > ip xfrm state > src 172.16.1.200 dst 172.16.1.100 > proto esp spi 0x00000002 reqid 2 mode tunnel > replay-window 0 > aead rfc4106(gcm(aes)) 0x0000000000000000000000000000000000000000 96 > > the aead secret is redacted. > > /proc/sys/core/net/xfrm_redact_secret is a toggle. > Once enabled, either at compile or via proc, it can not be disabled. > Redacting secret is a FIPS 140-2 requirement.
Couldn't you use the existing fips_enabled sysctl? Cheers, -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
