Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp943787pxf; Wed, 7 Apr 2021 15:43:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwdfzOwSkT2ShZg09i52iees8uWb2H2PN9OxGa1hYpakWD32IEpar9qApWItiB8lNZvBJep X-Received: by 2002:a63:7708:: with SMTP id s8mr5375483pgc.265.1617835392061; Wed, 07 Apr 2021 15:43:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617835392; cv=none; d=google.com; s=arc-20160816; b=wfo1h7OZhqzCLId1OeFLcVKOLyitnLcQp8TI7XJJT+9+TuMZeS8s3U28sdn4xXDPE6 EReIKATXJAnVPLNOzX63+fJZS5cMWagNkdOv2brEupnKDUPyMv2pi/bsqKVTu2sX53SQ 8i7C2E/3cW8EdoKyNZCURidvZwvQc9Bwq8vWtPPquWraOdpJtJZhurrvwyxExgqGkvyt 9IpH/uy+p+8ixnsvyvmDfpJa6Nkkz6ZCpk/cbEhw/u4IGHQLYxz8ryDOe8f9PoKfis1D 04wTTONlHZjE0fjFT6tbgKUTcEa4IXhAAzcUDB2wXIF/hcpAXYZY5sDPUEFLRFXx+9mW HVkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Dj6zfa/GP5natHQ72vven1EJnbcCzU9x4NJsUOnPZtE=; b=CoIAFV28mOPej3pcHhkV5eu2bPvJodhtwOSqm1eRLYfZbYhbXdb9p17lCwi/6aPjGf AXxCzDn8WhKOM7jdfT0GymihhuLZSnHIoIEAoxQhfmpDI4fvkR2+4g3PBJbnBvrNyueD vQo88FNtHk4FkWK5MvIVo1HOEo7qdokEa/+cO9Chv7eDvWU86V5D2T8c5J4tRDlxrPpJ /KVQ1r/UPr8OoC9E/tj7W6rUymENoTsJ9x83GJ2V3m0yuR8R0LxuLgMpBcjT1Bf1znNt +zaLPvfs3++1Tsrgnw8OquJbfUisrLEPoJOjnHeAaEZDMtSklCsQf+7bZUdKzRxRRR0r EQnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=VyRPD0Sl; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o1si13128163plg.160.2021.04.07.15.42.51; Wed, 07 Apr 2021 15:43:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=VyRPD0Sl; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231944AbhDGVQR (ORCPT + 99 others); Wed, 7 Apr 2021 17:16:17 -0400 Received: from mail.zx2c4.com ([104.131.123.232]:51906 "EHLO mail.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229469AbhDGVQQ (ORCPT ); Wed, 7 Apr 2021 17:16:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1617830163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Dj6zfa/GP5natHQ72vven1EJnbcCzU9x4NJsUOnPZtE=; b=VyRPD0SlVbJs11ImYPlwXdbL4cFcQURe3FwHIcOJpVr+35f/fgqgtz8Aak8NYAKwnhYrsJ wBECU0M1sqZAOmy+Jq4jBMPEXZyT7r0z4rbrizAckvcuPbLmL15UizM9M+T6STWquuhmad hmQVQz8fqQB7qShwEajZMNwrcOyNrRk= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 2019155d (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Wed, 7 Apr 2021 21:16:03 +0000 (UTC) Received: by mail-yb1-f177.google.com with SMTP id j206so231860ybj.11; Wed, 07 Apr 2021 14:16:03 -0700 (PDT) X-Gm-Message-State: AOAM532bl/bYKL+1l0Ra083i9J/DS9P7BU/TywOvWd7abjPAD+fvlDQ9 wIbbLf1CWSm1x4R4WnVuwK1FY8GbizmgOx/Z9s8= X-Received: by 2002:a05:6902:1003:: with SMTP id w3mr2674341ybt.123.1617830162611; Wed, 07 Apr 2021 14:16:02 -0700 (PDT) MIME-Version: 1.0 References: <20210407113920.3735505-1-liuhangbin@gmail.com> In-Reply-To: <20210407113920.3735505-1-liuhangbin@gmail.com> From: "Jason A. Donenfeld" Date: Wed, 7 Apr 2021 15:15:51 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH net-next] [RESEND] wireguard: disable in FIPS mode To: Hangbin Liu Cc: Netdev , =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= , Jakub Kicinski , Ondrej Mosnacek , Linux Crypto Mailing List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Hangbin, On Wed, Apr 7, 2021 at 5:39 AM Hangbin Liu wrote: > > As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not > FIPS certified, the WireGuard module should be disabled in FIPS mode. I'm not sure this makes so much sense to do _in wireguard_. If you feel like the FIPS-allergic part is actually blake, 25519, chacha, and poly1305, then wouldn't it make most sense to disable _those_ modules instead? And then the various things that rely on those (such as wireguard, but maybe there are other things too, like security/keys/big_key.c) would be naturally disabled transitively? [As an aside, I don't think any of this fips-flag-in-the-kernel makes much sense at all for anything, but that seems like a different discussion, maybe?] Jason