From: Eric Biggers <ebiggers@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Vegard Nossum <vegard.nossum@oracle.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
linux-crypto@vger.kernel.org,
Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
Daniel Gomez <da.gomez@kernel.org>,
Ard Biesheuvel <ardb@kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Wang, Jay" <wanjay@amazon.com>,
Nicolai Stange <nstange@suse.com>,
Vladis Dronov <vdronov@redhat.com>,
Stephan Mueller <smueller@chronox.de>,
Sami Tolvanen <samitolvanen@google.com>,
linux-modules@vger.kernel.org,
Vijaykumar Hegde <vijaykumar.hegde@oracle.com>,
Sriharsha Yadagudde <sriharsha.devdas@oracle.com>,
Sumit Garg <sumit.garg@linaro.org>,
Jarkko Sakkinen <jarkko@kernel.org>
Subject: Re: [PATCH RFC 006/104] KEYS: trusted: eat -ENOENT from the crypto API
Date: Thu, 4 Sep 2025 20:37:30 +0000 [thread overview]
Message-ID: <20250904203730.GC854551@google.com> (raw)
In-Reply-To: <CAHk-=wizcBV_yos1SZW9Zty7960TCeEE1t2qE_Wmm8CMoim60Q@mail.gmail.com>
On Thu, Sep 04, 2025 at 01:22:32PM -0700, Linus Torvalds wrote:
> On Thu, 4 Sept 2025 at 13:05, Vegard Nossum <vegard.nossum@oracle.com> wrote:
> >
> > However, since commit 9d50a25eeb05c ("crypto: testmgr - desupport SHA-1
> > for FIPS 140") when booting with fips=1, the SHA-1 algorithm (or anything
> > that uses it, like HMAC-SHA-1) will be unavailable.
> >
> > security/keys/trusted-keys/trusted_tpm1.c is hard-coded to use SHA-1 and
> > will fail with -ENOENT when attempting to initialize the hash instance
> > using the crypto API _if_ the hardware is available. This in turn causes
> > the entire trusted.ko to fail to load.
>
> Oh Christ.
>
> Can we please just make that trusted_tpm1.c code use the sha1 library
> code directly instead of going through the crypto layer to get it?
> That would presumably neatly avoid the whole issue.
>
> Eric - I haven't looked at how painful it is to just do conversions
> like that - I assume it's a boilerplate thing and trivial to do if
> you've one one. Please?
I already got to this one:
https://lore.kernel.org/r/20250809171941.5497-3-ebiggers@kernel.org/
And yes, as usual it's much simpler:
2 files changed, 36 insertions(+), 190 deletions(-)
(And faster too, since the library APIs have much less overhead.)
Jarkko is taking it for 6.18, I believe.
- Eric
next prev parent reply other threads:[~2025-09-04 20:37 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-04 15:50 [RFC] crypto: support for a standalone FIPS 140 module Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 001/104] params: use arch_initcall to initialize params sysfs earlier Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 002/104] Revert "Revert "crypto: shash - avoid comparing pointers to exported functions under CFI"" Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 003/104] crypto/jitterentropy: remove linux/fips.h include Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 004/104] crypto: api - Disallow identical template names Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 005/104] crypto: hide crypto_default_rng variable Vegard Nossum
2025-09-11 5:48 ` Herbert Xu
2025-09-04 15:50 ` [PATCH RFC 006/104] KEYS: trusted: eat -ENOENT from the crypto API Vegard Nossum
2025-09-04 20:22 ` Linus Torvalds
2025-09-04 20:37 ` Eric Biggers [this message]
2025-09-04 15:50 ` [PATCH RFC 007/104] testmgr: standardize alg/driver output in logs Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 008/104] arch/x86/boot/string.h: override memmove()/strlen() Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 009/104] certs/system_keyring: export restrict_link_by_builtin_*trusted Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 010/104] crypto/testmgr: make fips_allowed a bit set Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 011/104] crypto/testmgr: mark non-crypto algorithms Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 012/104] crypto/algapi: don't init algapi in fips mode Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 013/104] crypto/algapi.c: disable crypto_check_module_sig() for FIPS module Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 014/104] crypto/testmgr: add helper to alg_test() Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 015/104] crypto: pass struct crypto_alg directly " Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 016/104] crypto: alg - add CRYPTO_ALG_FIPS_PROVIDED flag Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 017/104] crypto: testmgr: check that we got the expected alg Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 018/104] crypto: make sure crypto_alg_tested() finds the correct algorithm Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 019/104] module: add load_module_mem() helper Vegard Nossum
2025-09-29 9:47 ` Petr Pavlu
2025-09-04 15:50 ` [PATCH RFC 020/104] module: add a mechanism for pluggable crypto APIs Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 021/104] crypto: fips140: include crypto/api.h in a few places Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 022/104] crypto: fips140: convert lib/crypto/aes.c to using crypto API wrappers Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 023/104] crypto: fips140: convert lib/crypto/aesgcm.c " Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 024/104] crypto: fips140: convert lib/crypto/gf128mul.c " Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 025/104] crypto: fips140: convert lib/crypto/memneq.c " Vegard Nossum
2025-09-04 15:50 ` [PATCH RFC 026/104] crypto: fips140: convert lib/crypto/sha256.c " Vegard Nossum
2025-09-04 21:29 ` Eric Biggers
2025-09-04 15:50 ` [PATCH RFC 027/104] crypto: fips140: convert lib/crypto/sha512.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 028/104] crypto: fips140: convert lib/crypto/utils.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 029/104] crypto: fips140: convert crypto/aead.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 030/104] crypto: fips140: convert crypto/aes_generic.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 031/104] crypto: fips140: convert crypto/ahash.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 032/104] crypto: fips140: convert crypto/akcipher.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 033/104] crypto: fips140: convert crypto/algapi.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 034/104] crypto: fips140: convert crypto/algboss.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 035/104] crypto: fips140: convert crypto/api.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 036/104] crypto: fips140: convert crypto/authenc.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 037/104] crypto: fips140: convert crypto/authencesn.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 038/104] crypto: fips140: convert crypto/cbc.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 039/104] crypto: fips140: convert crypto/ccm.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 040/104] crypto: fips140: convert crypto/cipher.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 041/104] crypto: fips140: convert crypto/cmac.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 042/104] crypto: fips140: convert crypto/cryptd.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 043/104] crypto: fips140: convert crypto/ctr.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 044/104] crypto: fips140: convert crypto/dh.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 045/104] crypto: fips140: convert crypto/dh_helper.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 046/104] crypto: fips140: convert crypto/drbg.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 047/104] crypto: fips140: convert crypto/ecb.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 048/104] crypto: fips140: convert crypto/ecc.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 049/104] crypto: fips140: convert crypto/ecdh.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 050/104] crypto: fips140: convert crypto/ecdh_helper.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 051/104] crypto: fips140: convert crypto/ecdsa.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 052/104] crypto: fips140: convert crypto/echainiv.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 053/104] crypto: fips140: convert crypto/essiv.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 054/104] crypto: fips140: convert crypto/gcm.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 055/104] crypto: fips140: convert crypto/geniv.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 056/104] crypto: fips140: convert crypto/ghash-generic.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 057/104] crypto: fips140: convert crypto/hmac.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 058/104] crypto: fips140: convert crypto/jitterentropy-kcapi.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 059/104] crypto: fips140: convert crypto/kpp.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 060/104] crypto: fips140: convert crypto/lskcipher.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 061/104] crypto: fips140: convert crypto/pcrypt.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 062/104] crypto: fips140: convert crypto/rng.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 063/104] crypto: fips140: convert crypto/rsa.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 064/104] crypto: fips140: convert crypto/rsa_helper.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 065/104] crypto: fips140: convert crypto/seqiv.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 066/104] crypto: fips140: convert crypto/sha1.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 067/104] crypto: fips140: convert crypto/sha256.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 068/104] crypto: fips140: convert crypto/sha3_generic.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 069/104] crypto: fips140: convert crypto/sha512.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 070/104] crypto: fips140: convert crypto/shash.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 071/104] crypto: fips140: convert crypto/sig.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 072/104] crypto: fips140: convert crypto/simd.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 073/104] crypto: fips140: convert crypto/skcipher.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 074/104] crypto: fips140: convert crypto/tcrypt.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 075/104] crypto: fips140: convert crypto/testmgr.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 076/104] crypto: fips140: convert crypto/xts.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 077/104] crypto: fips140: convert crypto/asymmetric_keys/asymmetric_type.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 078/104] crypto: fips140: convert crypto/asymmetric_keys/pkcs7_key_type.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 079/104] crypto: fips140: convert crypto/asymmetric_keys/pkcs7_parser.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 080/104] crypto: fips140: convert crypto/asymmetric_keys/pkcs7_trust.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 081/104] crypto: fips140: convert crypto/asymmetric_keys/pkcs7_verify.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 082/104] crypto: fips140: convert crypto/asymmetric_keys/pkcs8_parser.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 083/104] crypto: fips140: convert crypto/asymmetric_keys/public_key.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 084/104] crypto: fips140: convert crypto/asymmetric_keys/selftest.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 085/104] crypto: fips140: convert crypto/asymmetric_keys/signature.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 086/104] crypto: fips140: convert crypto/asymmetric_keys/x509_cert_parser.c " Vegard Nossum
2025-09-04 15:51 ` [PATCH RFC 087/104] crypto: fips140: convert crypto/asymmetric_keys/x509_loader.c " Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 088/104] crypto: fips140: convert crypto/asymmetric_keys/x509_public_key.c " Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 089/104] crypto: fips140: manual fixups for include/keys/asymmetric-type.h Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 090/104] crypto: fips140: manual fixups for include/crypto/sha2.h Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 091/104] crypto: fips140: manual fixups for include/crypto/public_key.h Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 092/104] crypto: fips140: manual fixups for include/crypto/aes.h Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 093/104] crypto: fips140: manual fixups for crypto/internal.h Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 094/104] crypto: fips140: manual fixups for include/crypto/internal/ecc.h Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 095/104] crypto: fips140: manual fixups for include/crypto/internal/rsa.h Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 096/104] crypto: fips140: manual fixups for include/crypto/aes.h Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 097/104] crypto: fips140: manual fixups for lib/crypto/sha256.c Vegard Nossum
2025-09-04 21:35 ` Eric Biggers
2025-09-04 22:20 ` Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 098/104] crypto: fips140: manual fixups for lib/crypto/sha512.c Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 099/104] crypto: fips140: add symlinks to kernel sources Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 100/104] crypto: fips140: add standalone FIPS 140 module Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 101/104] crypto: fips140: add FIPS 140 module loader Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 102/104] scripts/extract-fips140: new script Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 103/104] Documentation/crypto: add fips140.rst Vegard Nossum
2025-09-04 22:14 ` Randy Dunlap
2025-09-04 22:28 ` Vegard Nossum
2025-09-04 15:52 ` [PATCH RFC 104/104] MAINTAINERS: add myself as FIPS140 standalone module maintainer Vegard Nossum
2025-09-11 5:53 ` [RFC] crypto: support for a standalone FIPS 140 module Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250904203730.GC854551@google.com \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=da.gomez@kernel.org \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=nstange@suse.com \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=smueller@chronox.de \
--cc=sriharsha.devdas@oracle.com \
--cc=sumit.garg@linaro.org \
--cc=torvalds@linux-foundation.org \
--cc=vdronov@redhat.com \
--cc=vegard.nossum@oracle.com \
--cc=vijaykumar.hegde@oracle.com \
--cc=wanjay@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).