> diff --git a/include/crypto/xts.h b/include/crypto/xts.h ... > @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher > *tfm, > if (keylen % 2) > return -EINVAL; > > + /* > + * In FIPS mode only a combined key length of either 256 or > + * 512 bits is allowed, c.f. FIPS 140-3 IG C.I. > + */ > + if (fips_enabled && keylen != 32 && keylen != 64) > + return -EINVAL; > + > /* ensure that the AES and tweak key are not identical */ > if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & > CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) && > -- > 2.38.0 There's another function in the same file called xts_check_key() that is used by some of the hardware drivers: arch/s390/crypto/paes_s390.c: * xts_check_key verifies the key length is not odd and makes [that references it in the comment but actually calls xts_verify_key in the code] drivers/crypto/axis/artpec6_crypto.c: ret = xts_check_key(&cipher->base, key, keylen); drivers/crypto/cavium/cpt/cptvf_algs.c: err = xts_check_key(tfm, key, keylen); drivers/crypto/cavium/nitrox/nitrox_skcipher.c: ret = xts_check_key(tfm, key, keylen); drivers/crypto/ccree/cc_cipher.c: xts_check_key(tfm, key, keylen)) { drivers/crypto/marvell/octeontx/otx_cptvf_algs.c: ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c: ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); drivers/crypto/atmel-aes.c: err = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); It already has one check qualified by fips_enabled: /* ensure that the AES and tweak key are not identical */ if (fips_enabled && !crypto_memneq(key, key + (keylen / 2), keylen / 2)) return -EINVAL; Should that implement the same key length restrictions?