Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp662933pxb; Fri, 14 Jan 2022 13:29:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJyJbVqcrSy5KoTUgZhNf+CVH0vdN7n7g2hijJl8vKWAzPFOw5w/w3ctmIk0e2G9AcCfUuoz X-Received: by 2002:aa7:8481:0:b0:4bf:4e1:c93c with SMTP id u1-20020aa78481000000b004bf04e1c93cmr10747363pfn.7.1642195766702; Fri, 14 Jan 2022 13:29:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642195766; cv=none; d=google.com; s=arc-20160816; b=cLsfJ0NetRPDhYFCp1gr1X+LsJL1P5HabFtgUU1DJyyULaWemXGJgobL7uDtIdJ47M V9/113uistbylPGUTKc31vdmk818KkVst4xbvC3EDfcmHa6Na5nCuYQeouyMthdNXBO+ aLcTHe+XO53ypzaEM/vbVmeBiabK1VxiNWXoQClYIDLQS3TM1VY+0GVgzsmexA++28Ix 6aTs1H925m3aYWJ2q78PAR5Xcy30nmUmIPqMichj7JeJlxj0ZHQ4fznkr80FeWSmwsV6 RTErs9MwSvLyPiL9LJtlSsSbdHLiyHOKqhM9c3KfTdHdSdiv/uxjx3WyzOhatytfqYjL fXJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=MVCvrZ0qGCj7cjjsy9nHGn6+Uf8Jvh4gB/rTb3Zx58g=; b=tZKsNiVQz6paZcczELWeJay65elwxtJ80T+1yg4JE+GfdIxvuZi1iu7vULunWkKv9l YKouIUWbT6OGZrqFm/3SC71qCuPmkY2VkNg7aszYJwM2G/l7T3qpzlpzbtLZneXmKHFP OI8KrHYyM/mScW1/Tpjx950k09C94qCZyTm4pEJkU/pW+G+grCjPkOrF1UByCYU+sCo3 Y2yuwgrLz2oReGYejvqN3+AJlrEqxhtrBHD4e9qqEBwpM0ybLKm9BQeCi7SWMmDcSIVG uvLkS73vx7OvciX5/DIVkq8kJZHZKC9Ag9D1XpuLOx7Jw005QngLzhB67pSDspIOAPt2 u45g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chronox.de header.s=strato-dkim-0002 header.b=GLqvNwS8; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w3si6405323plq.204.2022.01.14.13.29.14; Fri, 14 Jan 2022 13:29:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chronox.de header.s=strato-dkim-0002 header.b=GLqvNwS8; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232580AbiANMfZ (ORCPT + 99 others); Fri, 14 Jan 2022 07:35:25 -0500 Received: from mo4-p01-ob.smtp.rzone.de ([85.215.255.53]:35303 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230379AbiANMfZ (ORCPT ); Fri, 14 Jan 2022 07:35:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1642163714; s=strato-dkim-0002; d=chronox.de; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=MVCvrZ0qGCj7cjjsy9nHGn6+Uf8Jvh4gB/rTb3Zx58g=; b=GLqvNwS8sx2IgnDr1NV+of4whcVgYUV4hmtHLDlb51qDBaTRLB8sZ3W63MOr7alBt3 0vzrvMM9GS751bybgNyCnxQ9sdZsAxf8QbbK5OyLlLgpXIRGIh0zC8ZVEsusLVzWyu8h ZJG0SgafDI2fwr5NM7NOJ0QjguTEwwu030J/+RM3c82+Qry3I9Kp4Q0q/Ls9+Oetvwe+ 342tdS5baH7DDH87cfkztcBE0xAe3s4H2PPuve6nd9k0Y7G2l7zT9V/kgGySkYHLYIfR dS16rBXjTWaB/VJoVkG8tC5VbReK0etf3Ihm067OPDZL0L5O7ToBfVfLyT5mWi29OhE1 4wAw== Authentication-Results: strato.com; dkim=none X-RZG-AUTH: ":P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9xmwdNnzGHXPbL/ScDv37" X-RZG-CLASS-ID: mo00 Received: from tauon.chronox.de by smtp.strato.de (RZmta 47.37.6 DYNA|AUTH) with ESMTPSA id t60e2cy0ECZDZEJ (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Fri, 14 Jan 2022 13:35:13 +0100 (CET) From: Stephan Mueller To: Nicolai Stange , Herbert Xu Cc: "David S. Miller" , Hannes Reinecke , Torsten Duwe , Zaibo Xu , Giovanni Cabiddu , David Howells , Jarkko Sakkinen , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, qat-linux@intel.com, keyrings@vger.kernel.org, simo@redhat.com, Eric Biggers , Petr Vorel Subject: Re: [v2 PATCH] crypto: api - Disallow sha1 in FIPS-mode while allowing hmac(sha1) Date: Fri, 14 Jan 2022 13:35:12 +0100 Message-ID: <1765621.jvH33SIsIh@tauon.chronox.de> In-Reply-To: References: <20211209090358.28231-1-nstange@suse.de> <87k0f2hefl.fsf@suse.de> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Am Freitag, 14. Januar 2022, 11:55:26 CET schrieb Herbert Xu: Hi Herbert, > > On an unrelated note, this will break trusted_key_tpm_ops->init() in > > FIPS mode, because trusted_shash_alloc() would fail to get a hold of > > sha1. AFAICT, this could potentially make the init_trusted() module_init > > to fail, and, as encrypted-keys.ko imports key_type_trusted, prevent the > > loading of that one as well. Not sure that's desired... > > Well if sha1 is supposed to be forbidden in FIPS mode why should SHA-1 is approved in all use cases except signatures. Ciao Stephan