Re: [PATCH] crypto: testmgr - block Crypto API xxhash64 in FIPS mode

Next message: Danilo Krummrich: "Re: [PATCH v2 0/6] rust: io: turn IoCapable into a functional trait"
Previous message: Andrii Kovalchuk: "[PATCH] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk"
In reply to: Herbert Xu: "Re: [PATCH] crypto: testmgr - block Crypto API xxhash64 in FIPS mode"
Next in thread: Herbert Xu: "Re: [PATCH] crypto: testmgr - block Crypto API xxhash64 in FIPS mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Joachim Vandersmissen

Date: Sat Mar 14 2026 - 20:53:17 EST

Hi Herbert,

I don't think this one can be applied yet since dm-integrity still uses xxhash64 through the crypto API. This would break fips=1 systems that use it.

Kind regards,
Joachim

On 3/14/26 12:11 AM, Herbert Xu wrote:

On Tue, Mar 03, 2026 at 12:05:09AM -0600, Joachim Vandersmissen wrote:

xxhash64 is not a cryptographic hash algorithm, but is offered in the
same API (shash) as actual cryptographic hash algorithms such as
SHA-256. The Cryptographic Module Validation Program (CMVP), managing
FIPS certification, believes that this could cause confusion. xxhash64
must therefore be blocked in FIPS mode.

The only usage of xxhash64 in the kernel is btrfs. Commit fe11ac191ce0
("btrfs: switch to library APIs for checksums") recently modified the
btrfs code to use the lib/crypto API, avoiding the Kernel Cryptographic
API. Consequently, the removal of xxhash64 from the Crypto API in FIPS
mode should now have no impact on btrfs usage.

Signed-off-by: Joachim Vandersmissen <git@xxxxxxxxx>
---
crypto/testmgr.c | 1 -
1 file changed, 1 deletion(-)

Patch applied. Thanks.