On Thu, Sep 04, 2025 at 05:50:58PM +0200, Vegard Nossum wrote: > /** > * sha256() - Compute SHA-256 message digest in one shot > @@ -373,7 +392,9 @@ void sha256_final(struct sha256_ctx *ctx, u8 out[SHA256_DIGEST_SIZE]); > * > * Context: Any context. > */ > -void sha256(const u8 *data, size_t len, u8 out[SHA256_DIGEST_SIZE]); > +DECLARE_CRYPTO_API(sha256, void, > + (const u8 *data, size_t len, u8 out[SHA256_DIGEST_SIZE]), > + (data, len, out)); This makes all these function declarations awfully hard to read... If fips140.ko is really going to be supported at all, perhaps it would make more sense for the override to happen in the function implementations? E.g. the first line of the sha256() function implementation would be FIPS_CALL(sha256, data, len, out) or similar, and that would either do nothing, or call the sha256() from fips140.ko and return. I think that would be *slightly* less invasive. Though of course it doesn't get around the problem that the fips140.ko override support still has to be handled individually for every function... - Eric
