Re: [PATCH] crypto: testmgr - block Crypto API xxhash64 in FIPS mode

Next message: Herbert Xu: "Re: [PATCH v3 1/2] dt-bindings: crypto: inside-secure,safexcel: add compatible for MT7981"
Previous message: Herbert Xu: "Re: [PATCH] crypto: tcrypt: stop ahash speed tests when setkey fails"
Next in thread: Joachim Vandersmissen: "Re: [PATCH] crypto: testmgr - block Crypto API xxhash64 in FIPS mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Herbert Xu

Date: Sat Mar 14 2026 - 01:12:45 EST

On Tue, Mar 03, 2026 at 12:05:09AM -0600, Joachim Vandersmissen wrote:
> xxhash64 is not a cryptographic hash algorithm, but is offered in the
> same API (shash) as actual cryptographic hash algorithms such as
> SHA-256. The Cryptographic Module Validation Program (CMVP), managing
> FIPS certification, believes that this could cause confusion. xxhash64
> must therefore be blocked in FIPS mode.
>
> The only usage of xxhash64 in the kernel is btrfs. Commit fe11ac191ce0
> ("btrfs: switch to library APIs for checksums") recently modified the
> btrfs code to use the lib/crypto API, avoiding the Kernel Cryptographic
> API. Consequently, the removal of xxhash64 from the Crypto API in FIPS
> mode should now have no impact on btrfs usage.
>
> Signed-off-by: Joachim Vandersmissen <git@xxxxxxxxx>
> ---
> crypto/testmgr.c | 1 -
> 1 file changed, 1 deletion(-)

Patch applied. Thanks.
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt