Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp1741332pxb; Mon, 12 Apr 2021 05:48:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwe34PgdFY9NCtSxLWnTXDrzzV5Z74uwso+qdgUiOXPZ7ySsHCX3XmkUoZAEJGEC63VxR/+ X-Received: by 2002:a17:906:2cd1:: with SMTP id r17mr26743739ejr.429.1618231733094; Mon, 12 Apr 2021 05:48:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618231733; cv=none; d=google.com; s=arc-20160816; b=rwwocQDLNqn5S9BCf/5d/CQBRFP2Pwy0dyuianQCryPGh/WMIo/CqCtOGMxMloaJ5Z T583Ua8CjinPZtQDSf8hKex15OWbmNH8ugNRcC7GAU2KWQBs41zcy+CHXQnJieHeptDJ 9IESWawZ2IkQb6r0WZttsAQObJ33xHwabTZcYviEmy2RdIA2B88abDxKJ15L5wjKAugj gCC+1Yu9j7168eo9fe2GAJPuvGAI4EtuiH/RiviU2/Qtp/X20CqI/cEXAqZ4PpzRFlKo E7b0FBr+/FVYp4WgwOJSScS5b50Vr5S1EV+ZJhkmNGaoLqGT4CVCmlzhLUUk6p0YCrtj pILw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :organization:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=gyRA3eXvjPEiAnUmzzROMJvtjDJt+882R/Pm9YO3IBI=; b=eeuNFQHzr0PQXHfq8iftXOSWrfWCojq967fq9mjDrTycJLwZ1uZo82H7ZPDdZrP3oh a61R3XV3sICEA5aLJak5ES1JzPIwhraAswQQuW8SV6+zrSZ2XB1oWQxS36MJHQjrio+Z JJzxU664Lrs0qmtEuDiwoISq35knnCrR5GK3UblEX+2NYCvigIsFYToB6o7plUmNkNDZ xI61IB9GYXwHfJbKkfCbn2jXUVTqE1qGqp5/+EGflzWju1YPO+QuWTMb6eoRXhPIzfpN N5wXatj0rIi7fJYjJmTNprSiSTrxovCmfhyk7Wh0j1BbK9M8wcOcbg1szJ1+APdZ23Ed ejcg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=O2By6KcI; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m13si7910341edc.258.2021.04.12.05.48.24; Mon, 12 Apr 2021 05:48:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=O2By6KcI; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241375AbhDLMq6 (ORCPT + 99 others); Mon, 12 Apr 2021 08:46:58 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:59664 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241368AbhDLMq6 (ORCPT ); Mon, 12 Apr 2021 08:46:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1618231600; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gyRA3eXvjPEiAnUmzzROMJvtjDJt+882R/Pm9YO3IBI=; b=O2By6KcIdBvikeSUSv9xjDybrHonKkdGa5IeNQcY5zVQLwLZJNp+nxpBU7143JUeKE2v9+ v4rYfoPySGWEQDfYQB1WHTpoeOCu6+8GU1enPp1yD4NNVvWwZQ/ZKs+Rl6NK4//TLpZA3S Y/8DgcGpnsh31t9O0NwbsfCAs/VItcg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-509-H2Ovd74qMrWeALGVTF0e4Q-1; Mon, 12 Apr 2021 08:46:38 -0400 X-MC-Unique: H2Ovd74qMrWeALGVTF0e4Q-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E15306D252; Mon, 12 Apr 2021 12:46:36 +0000 (UTC) Received: from ovpn-112-53.phx2.redhat.com (ovpn-112-53.phx2.redhat.com [10.3.112.53]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A59646090F; Mon, 12 Apr 2021 12:46:29 +0000 (UTC) Message-ID: <01fae6c3113d454cc009f065fde77f66af9845b6.camel@redhat.com> Subject: Re: [PATCH net-next] [RESEND] wireguard: disable in FIPS mode From: Simo Sorce To: "Jason A. Donenfeld" Cc: Ard Biesheuvel , Hangbin Liu , Netdev , Toke =?ISO-8859-1?Q?H=F8iland-J=F8rgensen?= , Jakub Kicinski , Ondrej Mosnacek , Linux Crypto Mailing List , "herbert.xu" Date: Mon, 12 Apr 2021 08:46:28 -0400 In-Reply-To: <5d6137d0e4ea1d67ee495398f2cb12a1c21653fd.camel@redhat.com> References: <20210407113920.3735505-1-liuhangbin@gmail.com> <20210409024143.GL2900@Leo-laptop-t470s> <20210409024907.GN2900@Leo-laptop-t470s> <0ef180dea02996fc5f4660405f2333220e8ae4c4.camel@redhat.com> <5d6137d0e4ea1d67ee495398f2cb12a1c21653fd.camel@redhat.com> Organization: Red Hat, Inc. Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Fri, 2021-04-09 at 14:56 -0400, Simo Sorce wrote: > Hi Jason, > I can't speak for Hangbin, we do not work for the same company and I > was not aware of his efforts until this patch landed. Turns out I and Hangbin do work for the same company after all. Left hand is meeting right hand internally now. :-D The comments still stand of course. Simo. > For my part we were already looking at big_key, wireguard and other > areas internally, but were not thinking of sending upstream patches > like these w/o first a good assessment with our teams and lab that they > were proper and sufficient. > > > So > > I think either you should send an exhaustive patch series that forbids > > all use of non-FIPS crypto anywhere in the kernel (another example: > > net/core/secure_seq.c) in addition to all tunneling modules that don't > > use FIPS-certified crypto, or figure out how to disable the lib/crypto > > primitives that you want to be disabled in "fips mode". With a > > coherent patchset for either of these, we can then evaluate it. > > Yes a cohesive approach would be ideal, but I do not know if pushing > substantially the same checks we have in the Crypto API down to > lib/crypto is the right way to go, I am not oppose but I guess Herbert > would have to chime in here. > -- Simo Sorce RHEL Crypto Team Red Hat, Inc