Re: 6.17 crashes in ipv6 code when booted fips=1 [was: [GIT PULL] Crypto Update for 6.17]

Next message: Icenowy Zheng: "Re: [PATCH v2 2/8] dt-bindings: display: add verisilicon,dc"
Previous message: Philipp Zabel: "Re: [PATCH 04/18] reset: rzv2h-usb2phy: Set VBENCTL register for OTG mode"
In reply to: Linus Torvalds: "Re: 6.17 crashes in ipv6 code when booted fips=1 [was: [GIT PULL] Crypto Update for 6.17]"
Next in thread: Linus Torvalds: "Re: 6.17 crashes in ipv6 code when booted fips=1 [was: [GIT PULL] Crypto Update for 6.17]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vegard Nossum

Date: Mon Oct 06 2025 - 12:32:41 EST

On 06/10/2025 18:19, Linus Torvalds wrote:

On Mon, 6 Oct 2025 at 04:53, Vegard Nossum <vegard.nossum@xxxxxxxxxx> wrote:

I'm pretty sure the use of SHA-1/HMAC inside IPv6 segment routing counts
as a "security function" (as it is used for message authentication) and
thus should be subject to FIPS requirements when booting with fips=1.

I think the other way of writing that is "fips=1 is and will remain
irrelevant in the real world as long as it's that black-and-white".

Okay, so I get that we don't like fips=1 around here (I'm not a
particularly big fan myself), but what's with the snark? fips=1 exists
in mainline and obviously has users. I'm just trying to make sure it
remains useful and usable. Otherwise we're going back to the
jitterentropy situation where every distro has their own downstream
patches to pass FIPS certification. Is that what you want?

Confused,

Vegard