Re: [PATCH v2] crypto: XTS - remove test that will fail in FIPS mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Stephan,



On 8/17/16, 9:57 AM, "Stephan Mueller" <smueller@xxxxxxxxxx> wrote:

>Am Mittwoch, 17. August 2016, 14:52:32 CEST schrieb Tapas Sarangi:
>
>Hi Tapas,
>
>(please, do not top-post)

DNT, Sorry.

>
>> Hi Stephan,
>>
>> Yes, can you give me some more detail about your findings on dracut-fips
>> !? This seems to be the major difference between our test environments
>> where a bunch of algorithms are failing self-test during boot with
>>fips=1.
>
>cmac must be statically compiled as otherwise dracut-fips does not find
>it (it
>misses it in the module list).
>
>The authenc() cipher must not be compiled as somehow the modprobe in
>dracut-
>fips does not find some components -- I am not sure what the issue is
>yet. I
>even have compiled all parts forming an authenc cipher (authenc, hmac,
>the
>hashes, the block chaining modes, the symmetric ciphers) to be bound into
>the
>kernel statically. But still, something is not found by the tcrypt module
>in
>dracut-fips.

Is that all the authenc() ciphers, or only some of them ? In my patch
where I had disabled .fips_allowed are mostly authenc() ciphers with
cbc(des3_ede) algo. Not all the authenc() ciphers were needed to be
disabled, but some.

For your XTS related findings and patches, are they going to 4.8 or 4.9 ?

Thanks
-Tapas


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux