> diff --git a/include/crypto/xts.h b/include/crypto/xts.h ... > @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher > *tfm, > if (keylen % 2) > return -EINVAL; > > + /* > + * In FIPS mode only a combined key length of either 256 or > + * 512 bits is allowed, c.f. FIPS 140-3 IG C.I. > + */ > + if (fips_enabled && keylen != 32 && keylen != 64) > + return -EINVAL; > + > /* ensure that the AES and tweak key are not identical */ > if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & > CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) && > -- > 2.38.0 arch/s390/crypto/aes_s390.c has similar lines: static int xts_aes_set_key(struct crypto_skcipher *tfm, const u8 *in_key, unsigned int key_len) { struct s390_xts_ctx *xts_ctx = crypto_skcipher_ctx(tfm); unsigned long fc; int err; err = xts_fallback_setkey(tfm, in_key, key_len); if (err) return err; /* In fips mode only 128 bit or 256 bit keys are valid */ if (fips_enabled && key_len != 32 && key_len != 64) return -EINVAL; xts_fallback_setkey will now enforce that rule when setting up the fallback algorithm keys, which makes the xts_aes_set_key check unreachable. If that fallback setup were not present, then a call to xts_verify_key might be preferable to enforce any other rules like the WEAK_KEYS rule.