On Fri, 2021-04-09 at 14:56 -0400, Simo Sorce wrote:
> Hi Jason,
> I can't speak for Hangbin, we do not work for the same company and I
> was not aware of his efforts until this patch landed.
Turns out I and Hangbin do work for the same company after all.
Left hand is meeting right hand internally
On Fri, Apr 09, 2021 at 12:29:42PM -0600, Jason A. Donenfeld wrote:
> On Fri, Apr 9, 2021 at 2:08 AM Hangbin Liu wrote:
> > After offline discussion with Herbert, here is
> > what he said:
> >
> > """
> > This is not a problem in RHEL8 because the Crypto API RNG replaces
> > /dev/random
> > in FI
On Fri, 2021-04-09 at 12:36 -0600, Jason A. Donenfeld wrote:
> On Fri, Apr 9, 2021 at 6:47 AM Simo Sorce wrote:
> > > depends on m || !CRYPTO_FIPS
> > >
> > > but I am a bit concerned that the rather intricate kconfig
> > > dependencies between the generic and arch-optimized versions of those
>
On Fri, Apr 9, 2021 at 6:47 AM Simo Sorce wrote:
> > depends on m || !CRYPTO_FIPS
> >
> > but I am a bit concerned that the rather intricate kconfig
> > dependencies between the generic and arch-optimized versions of those
> > drivers get complicated even further.
>
> Actually this is the opposi
On Fri, Apr 9, 2021 at 2:08 AM Hangbin Liu wrote:
> After offline discussion with Herbert, here is
> what he said:
>
> """
> This is not a problem in RHEL8 because the Crypto API RNG replaces /dev/random
> in FIPS mode.
> """
So far as I can see, this isn't the case in the kernel sources I'm
read
On Fri, 2021-04-09 at 16:08 +0800, Hangbin Liu wrote:
> On Fri, Apr 09, 2021 at 09:08:20AM +0200, Stephan Mueller wrote:
> > > > > > > And how do you handle all the other places in the kernel that use
> > > > > > > ChaCha20 and
> > > > > > > SipHash? For example, drivers/char/random.c?
> > > > > >
On Fri, 2021-04-09 at 08:02 +0200, Ard Biesheuvel wrote:
> On Fri, 9 Apr 2021 at 05:03, Jason A. Donenfeld wrote:
> > On Fri, Apr 09, 2021 at 10:49:07AM +0800, Hangbin Liu wrote:
> > > On Thu, Apr 08, 2021 at 08:44:35PM -0600, Jason A. Donenfeld wrote:
> > > > Since it's just a normal module libra
On Fri, Apr 09, 2021 at 09:08:20AM +0200, Stephan Mueller wrote:
> > > > > > And how do you handle all the other places in the kernel that use
> > > > > > ChaCha20 and
> > > > > > SipHash? For example, drivers/char/random.c?
> > > > >
> > > > > Good question, I will check it and reply to you late
Am Freitag, dem 09.04.2021 um 10:11 +0800 schrieb Hangbin Liu:
> On Thu, Apr 08, 2021 at 08:11:34AM -0700, Eric Biggers wrote:
> > On Thu, Apr 08, 2021 at 07:58:08PM +0800, Hangbin Liu wrote:
> > > On Thu, Apr 08, 2021 at 09:06:52AM +0800, Hangbin Liu wrote:
> > > > > Also, couldn't you just consid
On Fri, 9 Apr 2021 at 05:03, Jason A. Donenfeld wrote:
>
> On Fri, Apr 09, 2021 at 10:49:07AM +0800, Hangbin Liu wrote:
> > On Thu, Apr 08, 2021 at 08:44:35PM -0600, Jason A. Donenfeld wrote:
> > > Since it's just a normal module library, you can simply do this in the
> > > module_init function, r
On Fri, Apr 09, 2021 at 10:49:07AM +0800, Hangbin Liu wrote:
> On Thu, Apr 08, 2021 at 08:44:35PM -0600, Jason A. Donenfeld wrote:
> > Since it's just a normal module library, you can simply do this in the
> > module_init function, rather than deep within registration
> > abstractions.
>
> I did a
On Thu, Apr 08, 2021 at 08:44:35PM -0600, Jason A. Donenfeld wrote:
> Since it's just a normal module library, you can simply do this in the
> module_init function, rather than deep within registration
> abstractions.
I did a try but looks it's not that simple. Not sure if it's because wireguard
c
Hi Hangbin,
On Thu, Apr 8, 2021 at 8:41 PM Hangbin Liu wrote:
> I agree that the best way is to disable the crypto modules in FIPS mode.
> But the code in lib/crypto looks not the same with crypto/. For modules
> in crypto, there is an alg_test() to check if the crytpo is FIPS allowed
> when do r
On Thu, Apr 08, 2021 at 03:55:59PM -0600, Jason A. Donenfeld wrote:
> On Thu, Apr 8, 2021 at 7:55 AM Simo Sorce wrote:
> > > I'm not sure this makes so much sense to do _in wireguard_. If you
> > > feel like the FIPS-allergic part is actually blake, 25519, chacha, and
> > > poly1305, then wouldn't
On Thu, Apr 08, 2021 at 08:11:34AM -0700, Eric Biggers wrote:
> On Thu, Apr 08, 2021 at 07:58:08PM +0800, Hangbin Liu wrote:
> > On Thu, Apr 08, 2021 at 09:06:52AM +0800, Hangbin Liu wrote:
> > > > Also, couldn't you just consider WireGuard to be outside your FIPS
> > > > module
> > > > boundary,
On Thu, 2021-04-08 at 15:55 -0600, Jason A. Donenfeld wrote:
> On Thu, Apr 8, 2021 at 7:55 AM Simo Sorce wrote:
> > > I'm not sure this makes so much sense to do _in wireguard_. If you
> > > feel like the FIPS-allergic part is actually blake, 25519, chacha, and
> > > poly1305, then wouldn't it mak
On Thu, Apr 8, 2021 at 7:55 AM Simo Sorce wrote:
> > I'm not sure this makes so much sense to do _in wireguard_. If you
> > feel like the FIPS-allergic part is actually blake, 25519, chacha, and
> > poly1305, then wouldn't it make most sense to disable _those_ modules
> > instead? And then the var
On Thu, Apr 08, 2021 at 07:58:08PM +0800, Hangbin Liu wrote:
> On Thu, Apr 08, 2021 at 09:06:52AM +0800, Hangbin Liu wrote:
> > > Also, couldn't you just consider WireGuard to be outside your FIPS module
> > > boundary, which would remove it from the scope of the certification?
> > >
> > > And how
On Wed, 2021-04-07 at 15:15 -0600, Jason A. Donenfeld wrote:
> Hi Hangbin,
>
> On Wed, Apr 7, 2021 at 5:39 AM Hangbin Liu wrote:
> > As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not
> > FIPS certified, the WireGuard module should be disabled in FIPS mode.
>
> I'm not su
On Thu, Apr 08, 2021 at 09:06:52AM +0800, Hangbin Liu wrote:
> > Also, couldn't you just consider WireGuard to be outside your FIPS module
> > boundary, which would remove it from the scope of the certification?
> >
> > And how do you handle all the other places in the kernel that use ChaCha20
>
On Thu, Apr 8, 2021 at 8:52 AM Hangbin Liu wrote:
> On Wed, Apr 07, 2021 at 03:15:51PM -0600, Jason A. Donenfeld wrote:
> > Hi Hangbin,
> >
> > On Wed, Apr 7, 2021 at 5:39 AM Hangbin Liu wrote:
> > >
> > > As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not
> > > FIPS certi
On Wed, Apr 07, 2021 at 03:15:51PM -0600, Jason A. Donenfeld wrote:
> Hi Hangbin,
>
> On Wed, Apr 7, 2021 at 5:39 AM Hangbin Liu wrote:
> >
> > As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not
> > FIPS certified, the WireGuard module should be disabled in FIPS mode.
>
>
On Wed, Apr 07, 2021 at 02:12:27PM -0700, Eric Biggers wrote:
> On Wed, Apr 07, 2021 at 07:39:20PM +0800, Hangbin Liu wrote:
> > As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not
> > FIPS certified, the WireGuard module should be disabled in FIPS mode.
> >
> > Signed-off-b
Hi Hangbin,
On Wed, Apr 7, 2021 at 5:39 AM Hangbin Liu wrote:
>
> As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not
> FIPS certified, the WireGuard module should be disabled in FIPS mode.
I'm not sure this makes so much sense to do _in wireguard_. If you
feel like the FI
On Wed, Apr 07, 2021 at 07:39:20PM +0800, Hangbin Liu wrote:
> As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not
> FIPS certified, the WireGuard module should be disabled in FIPS mode.
>
> Signed-off-by: Hangbin Liu
I think you mean "FIPS allowed", not "FIPS certified"?
As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not
FIPS certified, the WireGuard module should be disabled in FIPS mode.
Signed-off-by: Hangbin Liu
---
drivers/net/wireguard/main.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireguard/main.c b/driv
26 matches
Mail list logo
