Hi Hangbin, On Thu, Apr 8, 2021 at 8:41 PM Hangbin Liu <liuhangbin@xxxxxxxxx> wrote: > I agree that the best way is to disable the crypto modules in FIPS mode. > But the code in lib/crypto looks not the same with crypto/. For modules > in crypto, there is an alg_test() to check if the crytpo is FIPS allowed > when do register. > > - crypto_register_alg() > - crypto_wait_for_test() > - crypto_probing_notify(CRYPTO_MSG_ALG_REGISTER, larval->adult) > - cryptomgr_schedule_test() > - cryptomgr_test() > - alg_test() > > But in lib/crypto the code are more like a library. We can call it anytime > and there is no register. Maybe we should add a similar check in lib/crypto. > But I'm not familiar with crypto code... Not sure if anyone in linux-crypto@ > would like help do that. Since it's just a normal module library, you can simply do this in the module_init function, rather than deep within registration abstractions. > > diff --git a/lib/crypto/curve25519.c b/lib/crypto/curve25519.c > > index 288a62cd29b2..b794f49c291a 100644 > > --- a/lib/crypto/curve25519.c > > +++ b/lib/crypto/curve25519.c > > @@ -12,11 +12,15 @@ > > #include <crypto/curve25519.h> > > #include <linux/module.h> > > #include <linux/init.h> > > +#include <linux/fips.h> > > > > bool curve25519_selftest(void); > > > > static int __init mod_init(void) > > { > > + if (!fips_enabled) > > + return -EOPNOTSUPP; > > Question here, why it is !fips_enabled? Shouldn't we return error when > fips_enabled? Er, just not thinking straight today. `if (fips_enabled)` is probably what you want indeed. Jason