On Wed, Dec 23, 2020 at 3:17 PM Petr Tesarik <ptesarik@xxxxxxx> wrote: > Upfront, let me admit that SUSE has a vested interest in a FIPS-certifiable Linux kernel. Sorry, but just because you have a "vested interest", or a financial interest, or because you want it does not suddenly make it a good idea. The idea is to have good crypto, not to merely check some boxes for the bean counters. For example, it's very unlikely that future kernel RNGs will move to using AES, due to the performance overhead involved on non-table-based implementations, and the lack of availability of FPU/AES-NI in all the contexts we need. NT's fortuna machine can use AES, because NT allows the FPU in all contexts. We don't have that luxury (or associated performance penalty). I would, however, be interested in a keccak-based construction. But just using the keccak permutation does not automatically make it "SHA-3", so we're back at the same issue again. FIPS is simply not interesting for our requirements. Jason