From: "Theodore Ts'o" <tytso@mit.edu>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Jon Kohler <jon@nutanix.com>,
Vegard Nossum <vegard.nossum@oracle.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
Stephan Mueller <smueller@chronox.de>,
Marcus Meissner <meissner@suse.de>,
Jarod Wilson <jarod@redhat.com>,
Neil Horman <nhorman@tuxdriver.com>,
John Haxby <john.haxby@oracle.com>
Subject: Re: 6.17 Regression: loading trusted.ko with fips=1 fails due to crypto/testmgr.c: desupport SHA-1 for FIPS 140
Date: Sat, 4 Oct 2025 23:16:13 -0400 [thread overview]
Message-ID: <20251005031613.GE386127@mit.edu> (raw)
In-Reply-To: <20251004232451.GA68695@quark>
On Sat, Oct 04, 2025 at 04:24:51PM -0700, Eric Biggers wrote:
> But for future reference, if the people doing FIPS certifications of the
> whole kernel actually determine that a particular kernel feature(s) that
> use SHA-1 *must* be disabled when fips_enabled=1, then of course they'll
> need to do that properly by submitting a tested and well-justified patch
> for each feature that carefully disables the correct functionality.
There's a hidden philosopical question here, which is whether "FIPS
certification of the whole kernel" is actually a good thing.
Personally, I don't think it is, but if booting with fips=1 neuters a
whole bunch of kernel features, and that is considered "working as
intended", to the extent that it discourages the use of FIPS mode,
maybe it's not such a bad thing. :-)
But with that said, I suspect one of the things that distributions
might find useful is per-kernel subsystem fips enablement. (e.g.,
dm_crypt.fips=1 which might make a whole bunch of existing users' file
systems become useless, precepitating a whole bunch of angry inquiries
to the distrobution's help desk, but maybe a particular user only needs
ipsec.fips=1)
- Ted
next prev parent reply other threads:[~2025-10-05 3:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-21 12:55 [PATCH] crypto/testmgr.c: desupport SHA-1 for FIPS 140 Vegard Nossum
2025-06-13 9:35 ` Herbert Xu
2025-10-04 3:00 ` 6.17 Regression: loading trusted.ko with fips=1 fails due to " Jon Kohler
2025-10-04 6:43 ` Vegard Nossum
2025-10-04 14:58 ` Jon Kohler
2025-10-04 23:24 ` Eric Biggers
2025-10-05 3:16 ` Theodore Ts'o [this message]
2025-10-05 7:29 ` Vegard Nossum
2025-10-05 22:10 ` Theodore Ts'o
2025-10-06 10:44 ` Vegard Nossum
2025-10-06 15:48 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251005031613.GE386127@mit.edu \
--to=tytso@mit.edu \
--cc=davem@davemloft.net \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarod@redhat.com \
--cc=john.haxby@oracle.com \
--cc=jon@nutanix.com \
--cc=linux-crypto@vger.kernel.org \
--cc=meissner@suse.de \
--cc=nhorman@tuxdriver.com \
--cc=smueller@chronox.de \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.