Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp919478pxf; Wed, 7 Apr 2021 15:04:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzB3yc8iwzyKoeGP8YfpIJbev3Iw67yV0L2kUCtKMDsI70dgp41BdJuTLFaiGMXrERRowNF X-Received: by 2002:a05:6a00:1595:b029:217:49e9:2429 with SMTP id u21-20020a056a001595b029021749e92429mr4825568pfk.80.1617833080927; Wed, 07 Apr 2021 15:04:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617833080; cv=none; d=google.com; s=arc-20160816; b=qZQC/qDJaUjb65a+CnimGPeJUHojLv5dcCSvAXyagWBs13Zgp/oqst3mKMhoD8P7Tz pytE/phUwNNypAgXVJfn5Y7QSIUhH2qnM9OCF0b1FEhjT7u5OV7Wtlg5x6PPZ4sH5tni 3sziwU8EHUAud524WBf1P3O3BdvnzbOYgULpAXdXcaDfuT+hrzjPciwexO+HptDQLQBp VkpOPphUQN/dZs2x4a2ptYvjiGBbbRHGTUZ3H+6zmDfndNTpRc8w7AWTg+JW+J4aS2pH +Gm3/OSQui2caEfWBlRW2Tha2FdtIscYHfUjaHEPy16+F9qOePslDjyHc5bFBxHCnc7J hYeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=qw8RLEnrjN6FG53e4HXAWRO+84tYWLn9CPUHWM489WY=; b=dECQK0ObqneTYbftK5X5m1I/F59TXyCIb7EOYXn1tqx7hZQtVGDoVau69bVZt7gfDX jmO/sCVWgw9+lp9zZfTqQDwXZbFkGkvW6+GiC7nUv+KDtKssfax4Xo645IYGdgQqf8TK 7e6gZaDoVCkEWpRUzFHEaLH31c/7Y554WD6tcRo2Cw4PyFQTCiZl7Cf1Yszo07q3VEB2 4L+tUM89fNQzF+poqUkLTbaUEH5tV8w7cp5CJHaHn5dXcbT7k4MxQxIVkeru8Q6aGuvW TLx9KpMLrZ13hz3s4eIzhY42X3/+vMxJCKqUrhAJHN2h/zz9qRzYCfTH4imzkU6CDJ7E xytg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=kOkMQRKb; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t12si7856221pjv.153.2021.04.07.15.04.20; Wed, 07 Apr 2021 15:04:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=kOkMQRKb; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229828AbhDGVMj (ORCPT + 99 others); Wed, 7 Apr 2021 17:12:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:41140 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229469AbhDGVMj (ORCPT ); Wed, 7 Apr 2021 17:12:39 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2F939611CC; Wed, 7 Apr 2021 21:12:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1617829949; bh=3ClaiXmoMxpwLarSFjiRGpAykEyCSoeO2i4RKoiLJjw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=kOkMQRKbNoGZJir5IqZsa5DWckU2utpxegMfi2tXvaKN+tznLQ7b/vsTrWy04J+US 8wFdOOQgZs0I7yE2+Uvih6z0fTTKY7hiAFLghtdJjMCsAcxhMROLwnOFHyHNccZh61 Rj0HWfzalucRa9+8Nl+TPR85leQgELeDc6dmc9iXjx8U/Ipl08BNFUdLcAhFaZM4Gp /sGicmeMgHkEFuegFgWMF6N9FI2Jwq/m54G/CBeQYa5rj5OWVwH/jpPUvCRqERbbpd l9hD5iGXLX/ncCAgPsU6yc9xAr9sqklpN0xnquKMbyH5hbUQyITRFyoQqlHIFdehWC 18M//9JNefbKQ== Date: Wed, 7 Apr 2021 14:12:27 -0700 From: Eric Biggers To: Hangbin Liu Cc: netdev@vger.kernel.org, "Jason A . Donenfeld" , Toke =?iso-8859-1?Q?H=F8iland-J=F8rgensen?= , Jakub Kicinski , Ondrej Mosnacek , linux-crypto@vger.kernel.org Subject: Re: [PATCH net-next] [RESEND] wireguard: disable in FIPS mode Message-ID: References: <20210407113920.3735505-1-liuhangbin@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210407113920.3735505-1-liuhangbin@gmail.com> Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Apr 07, 2021 at 07:39:20PM +0800, Hangbin Liu wrote: > As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not > FIPS certified, the WireGuard module should be disabled in FIPS mode. > > Signed-off-by: Hangbin Liu I think you mean "FIPS allowed", not "FIPS certified"? Even if it used FIPS allowed algorithms like AES, the Linux kernel doesn't come with any sort of FIPS certification out of the box. Also, couldn't you just consider WireGuard to be outside your FIPS module boundary, which would remove it from the scope of the certification? And how do you handle all the other places in the kernel that use ChaCha20 and SipHash? For example, drivers/char/random.c? - Eric