| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3b1ff093-2578-4186-969a-3c70530e57b7@oracle.com>
Date: Mon, 6 Oct 2025 18:32:16 +0200
From: Vegard Nossum <vegard.nossum@...cle.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Eric Biggers <ebiggers@...nel.org>, Jiri Slaby <jirislaby@...nel.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
netdev@...r.kernel.org, Jakub Kicinski <kuba@...nel.org>,
Theodore Ts'o <tytso@....edu>, "nstange@...e.de" <nstange@...e.de>,
"Wang, Jay" <wanjay@...zon.com>
Subject: Re: 6.17 crashes in ipv6 code when booted fips=1 [was: [GIT PULL]
Crypto Update for 6.17]
On 06/10/2025 18:19, Linus Torvalds wrote:
> On Mon, 6 Oct 2025 at 04:53, Vegard Nossum <vegard.nossum@...cle.com> wrote:
>>
>> I'm pretty sure the use of SHA-1/HMAC inside IPv6 segment routing counts
>> as a "security function" (as it is used for message authentication) and
>> thus should be subject to FIPS requirements when booting with fips=1.
>
> I think the other way of writing that is "fips=1 is and will remain
> irrelevant in the real world as long as it's that black-and-white".
Okay, so I get that we don't like fips=1 around here (I'm not a
particularly big fan myself), but what's with the snark? fips=1 exists
in mainline and obviously has users. I'm just trying to make sure it
remains useful and usable. Otherwise we're going back to the
jitterentropy situation where every distro has their own downstream
patches to pass FIPS certification. Is that what you want?
Confused,
Vegard
Powered by blists - more mailing lists