Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp662933pxb;
        Fri, 14 Jan 2022 13:29:26 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyJbVqcrSy5KoTUgZhNf+CVH0vdN7n7g2hijJl8vKWAzPFOw5w/w3ctmIk0e2G9AcCfUuoz
X-Received: by 2002:aa7:8481:0:b0:4bf:4e1:c93c with SMTP id u1-20020aa78481000000b004bf04e1c93cmr10747363pfn.7.1642195766702;
        Fri, 14 Jan 2022 13:29:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1642195766; cv=none;
        d=google.com; s=arc-20160816;
        b=cLsfJ0NetRPDhYFCp1gr1X+LsJL1P5HabFtgUU1DJyyULaWemXGJgobL7uDtIdJ47M
         V9/113uistbylPGUTKc31vdmk818KkVst4xbvC3EDfcmHa6Na5nCuYQeouyMthdNXBO+
         aLcTHe+XO53ypzaEM/vbVmeBiabK1VxiNWXoQClYIDLQS3TM1VY+0GVgzsmexA++28Ix
         6aTs1H925m3aYWJ2q78PAR5Xcy30nmUmIPqMichj7JeJlxj0ZHQ4fznkr80FeWSmwsV6
         RTErs9MwSvLyPiL9LJtlSsSbdHLiyHOKqhM9c3KfTdHdSdiv/uxjx3WyzOhatytfqYjL
         fXJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=MVCvrZ0qGCj7cjjsy9nHGn6+Uf8Jvh4gB/rTb3Zx58g=;
        b=tZKsNiVQz6paZcczELWeJay65elwxtJ80T+1yg4JE+GfdIxvuZi1iu7vULunWkKv9l
         YKouIUWbT6OGZrqFm/3SC71qCuPmkY2VkNg7aszYJwM2G/l7T3qpzlpzbtLZneXmKHFP
         OI8KrHYyM/mScW1/Tpjx950k09C94qCZyTm4pEJkU/pW+G+grCjPkOrF1UByCYU+sCo3
         Y2yuwgrLz2oReGYejvqN3+AJlrEqxhtrBHD4e9qqEBwpM0ybLKm9BQeCi7SWMmDcSIVG
         uvLkS73vx7OvciX5/DIVkq8kJZHZKC9Ag9D1XpuLOx7Jw005QngLzhB67pSDspIOAPt2
         u45g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chronox.de header.s=strato-dkim-0002 header.b=GLqvNwS8;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w3si6405323plq.204.2022.01.14.13.29.14;
        Fri, 14 Jan 2022 13:29:26 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chronox.de header.s=strato-dkim-0002 header.b=GLqvNwS8;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232580AbiANMfZ (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Fri, 14 Jan 2022 07:35:25 -0500
Received: from mo4-p01-ob.smtp.rzone.de ([85.215.255.53]:35303 "EHLO
        mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230379AbiANMfZ (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Fri, 14 Jan 2022 07:35:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1642163714;
    s=strato-dkim-0002; d=chronox.de;
    h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Cc:Date:
    From:Subject:Sender;
    bh=MVCvrZ0qGCj7cjjsy9nHGn6+Uf8Jvh4gB/rTb3Zx58g=;
    b=GLqvNwS8sx2IgnDr1NV+of4whcVgYUV4hmtHLDlb51qDBaTRLB8sZ3W63MOr7alBt3
    0vzrvMM9GS751bybgNyCnxQ9sdZsAxf8QbbK5OyLlLgpXIRGIh0zC8ZVEsusLVzWyu8h
    ZJG0SgafDI2fwr5NM7NOJ0QjguTEwwu030J/+RM3c82+Qry3I9Kp4Q0q/Ls9+Oetvwe+
    342tdS5baH7DDH87cfkztcBE0xAe3s4H2PPuve6nd9k0Y7G2l7zT9V/kgGySkYHLYIfR
    dS16rBXjTWaB/VJoVkG8tC5VbReK0etf3Ihm067OPDZL0L5O7ToBfVfLyT5mWi29OhE1
    4wAw==
Authentication-Results: strato.com;
    dkim=none
X-RZG-AUTH: ":P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9xmwdNnzGHXPbL/ScDv37"
X-RZG-CLASS-ID: mo00
Received: from tauon.chronox.de
    by smtp.strato.de (RZmta 47.37.6 DYNA|AUTH)
    with ESMTPSA id t60e2cy0ECZDZEJ
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits))
        (Client did not present a certificate);
    Fri, 14 Jan 2022 13:35:13 +0100 (CET)
From:   Stephan Mueller <smueller@chronox.de>
To:     Nicolai Stange <nstange@suse.de>,
        Herbert Xu <herbert@gondor.apana.org.au>
Cc:     "David S. Miller" <davem@davemloft.net>,
        Hannes Reinecke <hare@suse.de>, Torsten Duwe <duwe@suse.de>,
        Zaibo Xu <xuzaibo@huawei.com>,
        Giovanni Cabiddu <giovanni.cabiddu@intel.com>,
        David Howells <dhowells@redhat.com>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        qat-linux@intel.com, keyrings@vger.kernel.org, simo@redhat.com,
        Eric Biggers <ebiggers@kernel.org>, Petr Vorel <pvorel@suse.cz>
Subject: Re: [v2 PATCH] crypto: api - Disallow sha1 in FIPS-mode while allowing hmac(sha1)
Date:   Fri, 14 Jan 2022 13:35:12 +0100
Message-ID: <1765621.jvH33SIsIh@tauon.chronox.de>
In-Reply-To: <YeFWnscvXtv73KBl@gondor.apana.org.au>
References: <20211209090358.28231-1-nstange@suse.de> <87k0f2hefl.fsf@suse.de> <YeFWnscvXtv73KBl@gondor.apana.org.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

Am Freitag, 14. Januar 2022, 11:55:26 CET schrieb Herbert Xu:

Hi Herbert,

> > On an unrelated note, this will break trusted_key_tpm_ops->init() in
> > FIPS mode, because trusted_shash_alloc() would fail to get a hold of
> > sha1. AFAICT, this could potentially make the init_trusted() module_init
> > to fail, and, as encrypted-keys.ko imports key_type_trusted, prevent the
> > loading of that one as well. Not sure that's desired...
> 
> Well if sha1 is supposed to be forbidden in FIPS mode why should

SHA-1 is approved in all use cases except signatures.

Ciao
Stephan