Hello All, "Make fips=1 work on 4.1", they said, wittily, "it'll be easy." I suppose it wasn't that complicated, although I seem to be unearthing other problems as I go along. The first problem was dracut (and I owe an upstream patch for that) and the second problem was tcrypt. The tcrypt module was failing on authenc ciphers that wrap non-FIPS ciphers and hashes. These ones in fact: authenc(hmac(md5),ecb(cipher_null)) authenc(hmac(sha1),cbc(des)) authenc(hmac(sha1),ecb(cipher_null)) authenc(hmac(sha224),cbc(des)) authenc(hmac(sha256),cbc(des)) authenc(hmac(sha384),cbc(des)) authenc(hmac(sha512),cbc(des)) Stepham Mueller pointed out that no authenc() ciphers are FIPS approved and that ecb(des) also managed to get .fips_approved set. The following patch removes fips_allowed for all those patches. Again, Stephan pointed out that ansi_cprng will need to be taken off the allowed list at the end of the year. This patch doesn't pre-empt that. jch John Haxby (1): Disable fips-allowed for authenc() and des() ciphers crypto/testmgr.c | 16 ---------------- 1 file changed, 16 deletions(-) -- 2.4.3 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html