Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.kernel > #92317

Bug#1135729: Consider disabling CONFIG_CRYPTO_USER_API_*

From Salvatore Bonaccorso <carnil@debian.org>
Newsgroups linux.debian.bugs.dist, linux.debian.kernel
Subject Bug#1135729: Consider disabling CONFIG_CRYPTO_USER_API_*
Date 2026-05-06 08:30 +0200
Message-ID <MRDVD-2Xrq-1@gated-at.bofh.it> (permalink)
References <MRkgi-2K3J-5@gated-at.bofh.it> <MRkgi-2K3J-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Cross-posted to 2 groups.

Show all headers | View raw

Control: tags -1 + moreinfo

Hi,

On Tue, May 05, 2026 at 11:20:17AM +0200, Chris Hofstädtler wrote:
> Source: linux
> Severity: normal
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> people claim that the crypto API is a source of security issues when 
> (mis-)used by user space. LWN commenters on the recent algif_aead 
> issue have some more notes:
> 
> https://lwn.net/Articles/1070682/
> 
> partial quotes:
> 
> > found only 6 packages that use it: iproute2, util-linux, bluez, qtconnectivity, openssl, and ell
> > [..] As far I know, the only thing that uses algif_aead is bluetooth-meshd
> 
> > Yes, it's only a small set of userspace programs that made the 
> > shortsighted decision to use AF_ALG, instead of following the 
> > standard practice of using a userspace crypto library.
> > Help fixing these userspace programs would be greatly appreciated. 
> > It would be really impactful, as it would allow more people to 
> > disable CONFIG_CRYPTO_USER_API_* in their kernels.
> 
> https://lwn.net/Articles/1070960/
> 
> > it's primarily intended as an interface for some hardware crypto 
> > acceleration engines (like AMD's CCP, on systems it works in 
> > anyway)
> 
> 
> So it appears there are some tradeoffs to be made. Please take a 
> look and consider turning the crypto user api off.

That will be up for further discussion in the kernel-team meeting. I
wonder if we already can do that. There was the following follup as
well from Eric:
https://www.openwall.com/lists/oss-security/2026/05/06/5

Will iwd still work if we disable i now?

Regards,
Salvatore

Back to linux.debian.kernel | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Bug#1135729: Consider disabling CONFIG_CRYPTO_USER_API_* Chris Hofstädtler <zeha@debian.org> - 2026-05-05 11:30 +0200
  Bug#1135729: Consider disabling CONFIG_CRYPTO_USER_API_* Salvatore Bonaccorso <carnil@debian.org> - 2026-05-06 08:30 +0200
    Bug#1135729: Consider disabling CONFIG_CRYPTO_USER_API_* Chris Hofstaedtler <zeha@debian.org> - 2026-05-06 13:40 +0200
  Processed: Re: Bug#1135729: Consider disabling CONFIG_CRYPTO_USER_API_* "Debian Bug Tracking System" <owner@bugs.debian.org> - 2026-05-06 08:30 +0200
  Processed: Re: Bug#1135729: Consider disabling CONFIG_CRYPTO_USER_API_* "Debian Bug Tracking System" <owner@bugs.debian.org> - 2026-05-06 13:40 +0200
  Bug#1135729: marked as done (Consider disabling CONFIG_CRYPTO_USER_API_*) "Debian Bug Tracking System" <owner@bugs.debian.org> - 2026-05-07 11:10 +0200
  Re: Bug#1135729 closed by Debian FTP Masters  <ftpmaster@ftp-master.debian.org> (reply to Maytham Alsudany  <maytham@debian.org>) (Bug#1135729: fixed in docker-credential-gcr 2.1.32-1) Chris Hofstaedtler <zeha@debian.org> - 2026-05-07 12:00 +0200

csiph-web