3 files changed, 13 insertions, 0 deletions

diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf
index 1be961e89..91d533a1e 100644
--- a/conf/plugins/tpm.conf
+++ b/conf/plugins/tpm.conf
@@ -1,5 +1,9 @@
 tpm {
 
+    # Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default
+    # salt length instead of maximum salt length with RSAPSS padding.
+    # fips_186_4 = no
+
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes
diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt
index df7adb098..06c88861e 100644
--- a/conf/plugins/tpm.opt
+++ b/conf/plugins/tpm.opt
@@ -1,6 +1,10 @@
 charon.plugins.tpm.use_rng = no
 	Whether the TPM should be used as RNG.
 
+charon.plugins.tpm.fips_186_4 = no
+	Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default
+	salt length instead of maximum salt length with RSAPSS padding.
+
 charon.plugins.tpm.tcti.name = device|tabrmd
 	Name of TPM 2.0 TCTI library. Valid values: _tabrmd_, _device_ or _mssim_.
 	Defaults are _device_ if the _/dev/tpmrm0_ in-kernel TPM 2.0 resource manager
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 486ee5af9..aea62fbae 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -1685,6 +1685,11 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set.
 Send a PB\-TNC batch with a modified PB\-TNC version.
 
 .TP
+.BR charon.plugins.tpm.fips_186_4 " [no]"
+Is the TPM 2.0 FIPS\-186\-4 compliant, forcing e.g. the use of the default salt
+length instead of maximum salt length with RSAPSS padding.
+
+.TP
 .BR charon.plugins.tpm.tcti.name " [device|tabrmd]"
 Name of TPM 2.0 TCTI library. Valid values:
 .RI "" "tabrmd" ","