Hi Stephan, On 8/17/16, 9:57 AM, "Stephan Mueller" <smueller@xxxxxxxxxx> wrote: >Am Mittwoch, 17. August 2016, 14:52:32 CEST schrieb Tapas Sarangi: > >Hi Tapas, > >(please, do not top-post) DNT, Sorry. > >> Hi Stephan, >> >> Yes, can you give me some more detail about your findings on dracut-fips >> !? This seems to be the major difference between our test environments >> where a bunch of algorithms are failing self-test during boot with >>fips=1. > >cmac must be statically compiled as otherwise dracut-fips does not find >it (it >misses it in the module list). > >The authenc() cipher must not be compiled as somehow the modprobe in >dracut- >fips does not find some components -- I am not sure what the issue is >yet. I >even have compiled all parts forming an authenc cipher (authenc, hmac, >the >hashes, the block chaining modes, the symmetric ciphers) to be bound into >the >kernel statically. But still, something is not found by the tcrypt module >in >dracut-fips. Is that all the authenc() ciphers, or only some of them ? In my patch where I had disabled .fips_allowed are mostly authenc() ciphers with cbc(des3_ede) algo. Not all the authenc() ciphers were needed to be disabled, but some. For your XTS related findings and patches, are they going to 4.8 or 4.9 ? Thanks -Tapas ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html