From ee137e017ce5c73113f83506f588d3e2cdbce95d Mon Sep 17 00:00:00 2001
From: 8aed <8aed@riseup.net>
Date: Sat, 4 Nov 2023 05:08:09 +0100
Subject: linux: enable the NIST SP800-90A DRBG

---
 pkgs/os-specific/linux/kernel/common-config.nix | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'pkgs/os-specific')

diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index fb583551f1b6b..1aedcdc7c0fdf 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -562,6 +562,13 @@ let
       KEYS_REQUEST_CACHE               = whenAtLeast "5.3" yes;
       # randomized slab caches
       RANDOM_KMALLOC_CACHES            = whenAtLeast "6.6" yes;
+
+      # NIST SP800-90A DRBG modes - enabled by most distributions
+      #   and required by some out-of-tree modules (ShuffleCake)
+      #   This does not include the NSA-backdoored Dual-EC mode from the same NIST publication.
+      CRYPTO_DRBG_HASH                 = yes;
+      CRYPTO_DRBG_CTR                  = yes;
+
     } // optionalAttrs stdenv.hostPlatform.isx86_64 {
       # Enable Intel SGX
       X86_SGX     = whenAtLeast "5.11" yes;
-- 
cgit 1.4.1