lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3b1ff093-2578-4186-969a-3c70530e57b7@oracle.com>
Date: Mon, 6 Oct 2025 18:32:16 +0200
From: Vegard Nossum <vegard.nossum@...cle.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Eric Biggers <ebiggers@...nel.org>, Jiri Slaby <jirislaby@...nel.org>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
        netdev@...r.kernel.org, Jakub Kicinski <kuba@...nel.org>,
        Theodore Ts'o <tytso@....edu>, "nstange@...e.de" <nstange@...e.de>,
        "Wang, Jay" <wanjay@...zon.com>
Subject: Re: 6.17 crashes in ipv6 code when booted fips=1 [was: [GIT PULL]
 Crypto Update for 6.17]


On 06/10/2025 18:19, Linus Torvalds wrote:
> On Mon, 6 Oct 2025 at 04:53, Vegard Nossum <vegard.nossum@...cle.com> wrote:
>>
>> I'm pretty sure the use of SHA-1/HMAC inside IPv6 segment routing counts
>> as a "security function" (as it is used for message authentication) and
>> thus should be subject to FIPS requirements when booting with fips=1.
> 
> I think the other way of writing that is "fips=1 is and will remain
> irrelevant in the real world as long as it's that black-and-white".

Okay, so I get that we don't like fips=1 around here (I'm not a
particularly big fan myself), but what's with the snark? fips=1 exists
in mainline and obviously has users. I'm just trying to make sure it
remains useful and usable. Otherwise we're going back to the
jitterentropy situation where every distro has their own downstream
patches to pass FIPS certification. Is that what you want?

Confused,


Vegard

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ