[PATCH] crypto: testmgr - block Crypto API xxhash64 in FIPS mode
Joachim Vandersmissen
git at jvdsn.com
Sat Mar 14 17:43:15 PDT 2026
Hi Herbert,
I don't think this one can be applied yet since dm-integrity still uses
xxhash64 through the crypto API. This would break fips=1 systems that
use it.
Kind regards,
Joachim
On 3/14/26 12:11 AM, Herbert Xu wrote:
> On Tue, Mar 03, 2026 at 12:05:09AM -0600, Joachim Vandersmissen wrote:
>> xxhash64 is not a cryptographic hash algorithm, but is offered in the
>> same API (shash) as actual cryptographic hash algorithms such as
>> SHA-256. The Cryptographic Module Validation Program (CMVP), managing
>> FIPS certification, believes that this could cause confusion. xxhash64
>> must therefore be blocked in FIPS mode.
>>
>> The only usage of xxhash64 in the kernel is btrfs. Commit fe11ac191ce0
>> ("btrfs: switch to library APIs for checksums") recently modified the
>> btrfs code to use the lib/crypto API, avoiding the Kernel Cryptographic
>> API. Consequently, the removal of xxhash64 from the Crypto API in FIPS
>> mode should now have no impact on btrfs usage.
>>
>> Signed-off-by: Joachim Vandersmissen <git at jvdsn.com>
>> ---
>> crypto/testmgr.c | 1 -
>> 1 file changed, 1 deletion(-)
> Patch applied. Thanks.
More information about the linux-arm-kernel
mailing list