[PATCH] crypto: testmgr - block Crypto API xxhash64 in FIPS mode

Next message: Nathan Chancellor: "Re: [PATCH v1 4/8] ACPI: x86/rtc-cmos: Use platform device for driver binding"
Previous message: zhidao su: "[PATCH] sched_ext: Use READ_ONCE() for plain reads of scx_watchdog_timeout"
Next in thread: Christoph Hellwig: "Re: [PATCH] crypto: testmgr - block Crypto API xxhash64 in FIPS mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Joachim Vandersmissen

Date: Tue Mar 03 2026 - 01:06:03 EST

xxhash64 is not a cryptographic hash algorithm, but is offered in the
same API (shash) as actual cryptographic hash algorithms such as
SHA-256. The Cryptographic Module Validation Program (CMVP), managing
FIPS certification, believes that this could cause confusion. xxhash64
must therefore be blocked in FIPS mode.

The only usage of xxhash64 in the kernel is btrfs. Commit fe11ac191ce0
("btrfs: switch to library APIs for checksums") recently modified the
btrfs code to use the lib/crypto API, avoiding the Kernel Cryptographic
API. Consequently, the removal of xxhash64 from the Crypto API in FIPS
mode should now have no impact on btrfs usage.

Signed-off-by: Joachim Vandersmissen <git@xxxxxxxxx>
---
crypto/testmgr.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 49b607f65f63..d7475d6000dd 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -5609,7 +5609,6 @@ static const struct alg_test_desc alg_test_descs[] = {
#endif
.alg = "xxhash64",
.test = alg_test_hash,
- .fips_allowed = 1,
.suite = {
.hash = __VECS(xxhash64_tv_template)
}
--
2.53.0