From: Antony Antony
Date: Thu, 27 Aug 2020 22:15:36 +0200
> If there is a way to set lockdown per net namespace it would be
> better than /proc/sys/core/net/xfrm_redact_secret.
Lockmode is a whole system attribute.
As should any facility that restricts access to keying information
stored inside
Hi David,
On Mon, Aug 24, 2020 at 08:00:38 +0200, Antony Antony wrote:
> On Thu, Aug 20, 2020 at 15:42:22 -0700, David Miller wrote:
> > From: Antony Antony
> > Date: Thu, 20 Aug 2020 20:35:49 +0200
> >
> > > Redacting secret is a FIPS 140-2 requirement.
> >
> > Why not control this via the ker
On Thu, Aug 20, 2020 at 15:42:22 -0700, David Miller wrote:
> From: Antony Antony
> Date: Thu, 20 Aug 2020 20:35:49 +0200
>
> > Redacting secret is a FIPS 140-2 requirement.
>
> Why not control this via the kernel lockdown mode rather than making
> an ad-hoc API for this?
Let me try to use ker
From: Antony Antony
Date: Thu, 20 Aug 2020 20:35:49 +0200
> Redacting secret is a FIPS 140-2 requirement.
Why not control this via the kernel lockdown mode rather than making
an ad-hoc API for this?
when enabled, 1, redact XFRM SA secret in the netlink response to
xfrm_get_sa() or dump all sa.
e.g
echo 1 > /proc/sys/net/core/xfrm_redact_secret
ip xfrm state
src 172.16.1.200 dst 172.16.1.100
proto esp spi 0x0002 reqid 2 mode tunnel
replay-window 0
aead rfc4106(gcm(a
