-
Notifications
You must be signed in to change notification settings - Fork 12
fix: document FIPS v5 reseed suppression and genkey privilege requirement #18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -876,6 +876,13 @@ struct genl_ops genl_ops[] = { | |||||||||||
| #endif | ||||||||||||
| .flags = GENL_UNS_ADMIN_PERM | ||||||||||||
| }, { | ||||||||||||
| /* Key generation is offloaded to the kernel module and | ||||||||||||
| * therefore requires CAP_NET_ADMIN. Users without this | ||||||||||||
| * privilege should either run via sudo/root, or build | ||||||||||||
| * with NO_IPC_LLCRYPTO=1 to use the userspace key | ||||||||||||
| * generation path, or ensure the wg-fips binary has the | ||||||||||||
| * appropriate file capabilities set (e.g. cap_net_admin+ep). | ||||||||||||
|
Comment on lines
+883
to
+884
|
||||||||||||
| * generation path, or ensure the wg-fips binary has the | |
| * appropriate file capabilities set (e.g. cap_net_admin+ep). | |
| * generation path, or ensure the userspace client binary | |
| * (e.g. wg/wg-fips) has the appropriate file capabilities | |
| * set (e.g. cap_net_admin+ep). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This note states both
wg genkeyandwg-fips genkeyare affected, but the remedies arewg-fips-specific (build wg-fips...,setcap ... wg-fips). To avoid confusing non-FIPS users, consider either (1) making the text consistently apply to both binaries (and show bothsetcapexamples), or (2) clearly stating which binary names are present/expected in each install path. Also,setcaptypically requiressudo; documenting that helps users avoid a second “permission denied” surprise.