Skip to content

Commit 38e88d6

Browse files
committed
fix: document FIPS v5 reseed suppression and genkey privilege requirement
1 parent b135d5c commit 38e88d6

3 files changed

Lines changed: 27 additions & 0 deletions

File tree

README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,14 @@ under `/lib/modules/` where the target kernel's modules are installed.
162162
The `genkey` and `pubkey` ops in the final line are basic functionality tests.
163163
If all is well, it will succeed, and print a random public key.
164164

165+
**Note:** When the `wolfguard.ko` kernel module is loaded, `wg genkey` (and
166+
`wg-fips genkey`) offloads key generation to the kernel module via netlink and
167+
therefore requires `CAP_NET_ADMIN`. Non-root users will receive a permission
168+
error. To resolve this, either run as root or via `sudo`, or build `wg-fips`
169+
with `NO_IPC_LLCRYPTO=1` (which selects the userspace key generation path), or
170+
grant the `wg-fips` binary the `cap_net_admin` file capability
171+
(`setcap cap_net_admin+ep wg-fips`).
172+
165173
As for the `wg-fips` build above, compressed public key support can be enabled
166174
by adding `EXTRA_CFLAGS=-DWG_USE_PUBLIC_KEY_COMPRESSION` to the above `make`
167175
recipe. The `WG_USE_PUBLIC_KEY_COMPRESSION` setting must be matched throughout
@@ -296,6 +304,14 @@ $ ../user-src/wg-fips genkey | ../user-src/wg-fips pubkey
296304
The `genkey` and `pubkey` ops in the final line are basic functionality tests.
297305
If all is well, it will succeed, and print a random public key.
298306

307+
**Note:** When the `wolfguard.ko` kernel module is loaded, `wg genkey` (and
308+
`wg-fips genkey`) offloads key generation to the kernel module via netlink and
309+
therefore requires `CAP_NET_ADMIN`. Non-root users will receive a permission
310+
error. To resolve this, either run as root or via `sudo`, or build `wg-fips`
311+
with `NO_IPC_LLCRYPTO=1` (which selects the userspace key generation path), or
312+
grant the `wg-fips` binary the `cap_net_admin` file capability
313+
(`setcap cap_net_admin+ep wg-fips`).
314+
299315
As with the non-FIPS-certified procedure, if all of the above succeeds, then you
300316
are now ready to bring up WolfGuard tunnels. Existing playbooks and scripting
301317
for WireGuard can be used directly, provided you substitute `/etc/wolfguard` for

kernel-src/netlink.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -876,6 +876,13 @@ struct genl_ops genl_ops[] = {
876876
#endif
877877
.flags = GENL_UNS_ADMIN_PERM
878878
}, {
879+
/* Key generation is offloaded to the kernel module and
880+
* therefore requires CAP_NET_ADMIN. Users without this
881+
* privilege should either run via sudo/root, or build
882+
* with NO_IPC_LLCRYPTO=1 to use the userspace key
883+
* generation path, or ensure the wg-fips binary has the
884+
* appropriate file capabilities set (e.g. cap_net_admin+ep).
885+
*/
879886
.cmd = WG_CMD_GEN_PRIVKEY,
880887
.doit = wg_nl_generate_privkey,
881888
.policy = device_policy,

kernel-src/wolfcrypt_glue.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1196,6 +1196,10 @@ int wc_linuxkm_drbg_generate(struct wc_linuxkm_drbg_ctx *ctx,
11961196
retry:
11971197

11981198
#if defined(HAVE_FIPS) && FIPS_VERSION_LT(6,0)
1199+
/* FIPS v5 does not expose an API to externally reseed the DRBG.
1200+
* The entropy input is therefore discarded here. The DRBG output
1201+
* remains safe: it was properly seeded at initialization time.
1202+
*/
11991203
(void)src;
12001204
(void)slen;
12011205
#else

0 commit comments

Comments
 (0)