From: Eric Biggers <ebiggers@kernel.org>
To: Hangbin Liu <liuhangbin@gmail.com>
Cc: netdev@vger.kernel.org, "Jason A . Donenfeld" <Jason@zx2c4.com>,
"Toke Høiland-Jørgensen" <toke@redhat.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"Ondrej Mosnacek" <omosnace@redhat.com>,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH net-next] [RESEND] wireguard: disable in FIPS mode
Date: Thu, 8 Apr 2021 08:11:34 -0700 [thread overview]
Message-ID: <YG8dJpEEWP3PxUIm@sol.localdomain> (raw)
In-Reply-To: <20210408115808.GJ2900@Leo-laptop-t470s>
On Thu, Apr 08, 2021 at 07:58:08PM +0800, Hangbin Liu wrote:
> On Thu, Apr 08, 2021 at 09:06:52AM +0800, Hangbin Liu wrote:
> > > Also, couldn't you just consider WireGuard to be outside your FIPS module
> > > boundary, which would remove it from the scope of the certification?
> > >
> > > And how do you handle all the other places in the kernel that use ChaCha20 and
> > > SipHash? For example, drivers/char/random.c?
> >
> > Good question, I will check it and reply to you later.
>
> I just read the code. The drivers/char/random.c do has some fips specific
> parts(seems not related to crypto). After commit e192be9d9a30 ("random: replace
> non-blocking pool with a Chacha20-based CRNG") we moved part of chacha code to
> lib/chacha20.c and make that code out of control.
>
So you are saying that you removed drivers/char/random.c and lib/chacha20.c from
your FIPS module boundary? Why not do the same for WireGuard?
- Eric
next prev parent reply other threads:[~2021-04-08 15:11 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-07 11:39 [PATCH net-next] [RESEND] wireguard: disable in FIPS mode Hangbin Liu
2021-04-07 21:12 ` Eric Biggers
2021-04-08 1:06 ` Hangbin Liu
2021-04-08 11:58 ` Hangbin Liu
2021-04-08 15:11 ` Eric Biggers [this message]
2021-04-09 2:11 ` Hangbin Liu
2021-04-09 7:08 ` Stephan Mueller
2021-04-09 8:08 ` Hangbin Liu
2021-04-09 16:26 ` Simo Sorce
2021-04-09 18:29 ` Jason A. Donenfeld
2021-04-12 2:11 ` Hangbin Liu
2021-04-07 21:15 ` Jason A. Donenfeld
2021-04-08 6:52 ` Hangbin Liu
2021-04-08 7:36 ` Ondrej Mosnacek
2021-04-08 13:55 ` Simo Sorce
2021-04-08 21:55 ` Jason A. Donenfeld
2021-04-08 22:16 ` Simo Sorce
2021-04-09 2:41 ` Hangbin Liu
2021-04-09 2:44 ` Jason A. Donenfeld
2021-04-09 2:49 ` Hangbin Liu
2021-04-09 3:03 ` Jason A. Donenfeld
2021-04-09 6:02 ` Ard Biesheuvel
2021-04-09 12:47 ` Simo Sorce
2021-04-09 18:36 ` Jason A. Donenfeld
2021-04-09 18:56 ` Simo Sorce
2021-04-12 12:46 ` Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YG8dJpEEWP3PxUIm@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=liuhangbin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=toke@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).