On Wed, Apr 07, 2021 at 02:12:27PM -0700, Eric Biggers wrote: > On Wed, Apr 07, 2021 at 07:39:20PM +0800, Hangbin Liu wrote: > > As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not > > FIPS certified, the WireGuard module should be disabled in FIPS mode. > > > > Signed-off-by: Hangbin Liu <liuhangbin@xxxxxxxxx> > > I think you mean "FIPS allowed", not "FIPS certified"? Even if it used FIPS > allowed algorithms like AES, the Linux kernel doesn't come with any sort of FIPS > certification out of the box. Yes, you are right. > > Also, couldn't you just consider WireGuard to be outside your FIPS module > boundary, which would remove it from the scope of the certification? > > And how do you handle all the other places in the kernel that use ChaCha20 and > SipHash? For example, drivers/char/random.c? Good question, I will check it and reply to you later. Thanks Hangbin