linuxkm: handle RHEL9 disabled akcipher sign/decrypt ops

sameehj · sameehj · commit 8fcecfe07998 · 2025-12-31T14:09:16.000+02:00
RHEL9 kernels (9.6+) disable RSA signing and decryption in the kernel crypto API for security reasons (CVE-2023-6240). The kernel forcibly overwrites akcipher sign/decrypt callbacks to return -ENOSYS, regardless of what the driver provides. Commit 3709c35c in the RHEL kernel: "crypto: akcipher - Disable signing and decryption" This affects our self-tests which call crypto_akcipher_sign() and crypto_akcipher_decrypt(). On RHEL9, these operations return -ENOSYS even though our driver correctly implements them. Add compile-time checks for RHEL_RELEASE_CODE >= 9.6 to detect this scenario and skip the affected self-tests gracefully. The tests pass since the algorithms are registered correctly; the kernel simply refuses to execute sign/decrypt operations as a matter of policy. Note: encrypt and verify operations are unaffected and continue to be tested normally. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
diff --git a/linuxkm/lkcapi_rsa_glue.c b/linuxkm/lkcapi_rsa_glue.c
@@ -27,6 +27,12 @@
     #error lkcapi_rsa_glue.c included in non-LINUXKM_LKCAPI_REGISTER project.
 #endif
 
+#ifdef RHEL_RELEASE_CODE
+    #include <linux/rhel_versions.h>
+#else
+    #define RHEL_RELEASE_VERSION(a, b) (((a) << 8) + (b))
+#endif
+
 #if !defined(NO_RSA)
     #if (defined(LINUXKM_LKCAPI_REGISTER_ALL) || \
          (defined(LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG) && defined(CONFIG_CRYPTO_RSA))) && \
@@ -2347,6 +2353,14 @@ static int linuxkm_test_rsa_driver(const char * driver, int nbits)
 
     memset(dec, 0, key_len);
     ret = crypto_akcipher_decrypt(req);
+   #if defined(RHEL_RELEASE_CODE) && defined(RHEL_RELEASE_VERSION) && \
+              (RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(9, 6))
+    if (ret == -ENOSYS) {
+        pr_info("info: skipping crypto_akcipher_decrypt (disabled by RHEL policy)\n");
+        test_rc = 0;
+        goto test_rsa_end;
+    }
+    #endif
     if (ret) {
         pr_err("error: crypto_akcipher_decrypt returned: %d\n", ret);
         goto test_rsa_end;
@@ -2721,6 +2735,14 @@ static int linuxkm_test_pkcs1pad_driver(const char * driver, int nbits,
     akcipher_request_set_crypt(req, &src, &dst, hash_len, key_len);
 
     ret = crypto_akcipher_sign(req);
+    #if defined(RHEL_RELEASE_CODE) && defined(RHEL_RELEASE_VERSION) && \
+               (RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(9, 6))
+    if (ret == -ENOSYS) {
+        pr_info("info: skipping crypto_akcipher_sign (disabled by RHEL policy)\n");
+        test_rc = 0;
+        goto test_pkcs1_end;
+    }
+    #endif
     if (ret) {
         pr_err("error: crypto_akcipher_sign returned: %d\n", ret);
         test_rc = BAD_FUNC_ARG;
@@ -2847,6 +2869,14 @@ static int linuxkm_test_pkcs1pad_driver(const char * driver, int nbits,
     }
 
     ret = crypto_akcipher_decrypt(req);
+    #if defined(RHEL_RELEASE_CODE) && defined(RHEL_RELEASE_VERSION) && \
+               (RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(9, 6))
+    if (ret == -ENOSYS) {
+        pr_info("info: skipping crypto_akcipher_decrypt (disabled by RHEL policy)\n");
+        test_rc = 0;
+        goto test_pkcs1_end;
+    }
+    #endif
     if (ret) {
         pr_err("error: crypto_akcipher_decrypt returned: %d\n", ret);
         test_rc = BAD_FUNC_ARG;
