Matthieu Baerts [off-list ref] wrote:

I don't know if it can help, but did you try to reproduce it on top of
the branch used by the CI?

 https://github.com/linux-netdev/testing/tree/net-next-2025-08-12--06-00

This branch is on top of net-next, where 'net' has been merged, all
pending patches listed on Patchwork have been applied, plus a few
additional patches are there to either fix some temp issues or improve
the CI somehow. Maybe one of these patches caused the removal of
CONFIG_CRYPTO_SHA1.

Yes:
    sctp: Use HMAC-SHA1 and HMAC-SHA256 library for chunk authentication

removes it.

I guess that's the case, because when looking at the diff [1] when the
issue got introduced, I see some patches [2] from Eric Biggers modifying
some sctp's Kconfig file. They probably cause the issue, but the fix
should be to add CONFIG_CRYPTO_SHA1 in the ST config as mentioned by Paolo.

seems like these two are the only ones that need it. at least
xfrm_policy.sh passes again after this change.

diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config
--- a/tools/testing/selftests/net/config
+++ b/tools/testing/selftests/net/config

@@ -115,6 +115,7 @@ CONFIG_VXLAN=m
 CONFIG_IP_SCTP=m
 CONFIG_NETFILTER_XT_MATCH_POLICY=m
 CONFIG_CRYPTO_ARIA=y
+CONFIG_CRYPTO_SHA1=y
 CONFIG_XFRM_INTERFACE=m
 CONFIG_XFRM_USER=m
 CONFIG_IP_NF_MATCH_RPFILTER=m

diff --git a/tools/testing/selftests/net/netfilter/config b/tools/testing/selftests/net/netfilter/config
--- a/tools/testing/selftests/net/netfilter/config
+++ b/tools/testing/selftests/net/netfilter/config

@@ -98,3 +98,4 @@ CONFIG_NET_PKTGEN=m
 CONFIG_TUN=m
 CONFIG_INET_DIAG=m
 CONFIG_INET_SCTP_DIAG=m
+CONFIG_CRYPTO_SHA1=y