[RFC PATCH][Unstable] UBUNTU: [Config] Disable CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE

dann frazier dann.frazier at canonical.com
Mon Nov 2 16:42:18 UTC 2020 

Disables deprecated algorithms unused by the kernel but exposed to userspace
via AF_ALG as recommended here:

 https://lists.linaro.org/pipermail/cross-distro/2020-October/000938.html

As noted, iwd (universe) did have a dependency on the kernel's ecb(arc4) but
upstream has now replaced that with a userspace version:

https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=1db8a85a60c645232eb5bba1ec0cd0a2927ccd16

While we have a new enough iwd in hirsute, focal's version still has this
dependency. So, if we decide to do this, we may also want to SRU that back.

Signed-off-by: dann frazier <dann.frazier at canonical.com>
---
 debian.master/config/annotations          |  7 ++-----
 debian.master/config/config.common.ubuntu | 12 ++++++------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 81938786ab66..3a11bafaebcf 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -280,8 +280,6 @@ CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL              policy<{'amd64': 'm'}>
 CONFIG_CRYPTO_AES                               policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_CRYPTO_AES_TI                            policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_AES_NI_INTEL                      policy<{'amd64': 'm'}>
-CONFIG_CRYPTO_ANUBIS                            policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
-CONFIG_CRYPTO_ARC4                              policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_BLOWFISH                          policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_BLOWFISH_X86_64                   policy<{'amd64': 'm'}>
 CONFIG_CRYPTO_CAMELLIA                          policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
@@ -295,17 +293,14 @@ CONFIG_CRYPTO_CAST6_AVX_X86_64                  policy<{'amd64': 'm'}>
 CONFIG_CRYPTO_DES                               policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_DES3_EDE_X86_64                   policy<{'amd64': 'm'}>
 CONFIG_CRYPTO_FCRYPT                            policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
-CONFIG_CRYPTO_KHAZAD                            policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_SALSA20                           policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_CHACHA20                          policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_CHACHA20_X86_64                   policy<{'amd64': 'm'}>
-CONFIG_CRYPTO_SEED                              policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_SERPENT                           policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_SERPENT_SSE2_X86_64               policy<{'amd64': 'm'}>
 CONFIG_CRYPTO_SERPENT_AVX_X86_64                policy<{'amd64': 'm'}>
 CONFIG_CRYPTO_SERPENT_AVX2_X86_64               policy<{'amd64': 'm'}>
 CONFIG_CRYPTO_SM4                               policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
-CONFIG_CRYPTO_TEA                               policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_TWOFISH                           policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_TWOFISH_X86_64                    policy<{'amd64': 'm'}>
 CONFIG_CRYPTO_TWOFISH_X86_64_3WAY               policy<{'amd64': 'm'}>
@@ -322,6 +317,7 @@ CONFIG_CRYPTO_USER_API_HASH                     policy<{'amd64': 'm', 'arm64': '
 CONFIG_CRYPTO_USER_API_SKCIPHER                 policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_USER_API_RNG                      policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_USER_API_AEAD                     policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
+CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE		policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_CRYPTO_STATS                             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_CRYPTO_LIB_BLAKE2S                       policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
 CONFIG_CRYPTO_LIB_CHACHA                        policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 's390x': 'm'}>
@@ -439,6 +435,7 @@ CONFIG_CRYPTO_DEV_SA2UL                         policy<{'arm64': 'm'}>
 #
 CONFIG_CRYPTO_DEV_HISI_ZIP                      mark<ENFORCED>
 CONFIG_ZCRYPT_MULTIDEVNODES                     mark<ENFORCED> note<LP:1805429>
+CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE		mark<ENFORCED> note<Obsolete w/ no known userspace dependencies>
 
 # Menu: Cryptographic API >> Hardware crypto devices >> Algorithms enabled for QCE acceleration
 CONFIG_CRYPTO_DEV_QCE_ENABLE_ALL	        policy<{'arm64': 'y', 'armhf': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 8500c4203ac7..1dad0154fc4d 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -2124,8 +2124,8 @@ CONFIG_CRYPTO_AKCIPHER2=y
 CONFIG_CRYPTO_ALGAPI=y
 CONFIG_CRYPTO_ALGAPI2=y
 CONFIG_CRYPTO_ANSI_CPRNG=m
-CONFIG_CRYPTO_ANUBIS=m
-CONFIG_CRYPTO_ARC4=m
+# CONFIG_CRYPTO_ANUBIS is not set
+# CONFIG_CRYPTO_ARC4 is not set
 CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=m
 CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m
 CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=m
@@ -2295,7 +2295,7 @@ CONFIG_CRYPTO_HMAC=y
 CONFIG_CRYPTO_HW=y
 CONFIG_CRYPTO_JITTERENTROPY=y
 CONFIG_CRYPTO_KEYWRAP=m
-CONFIG_CRYPTO_KHAZAD=m
+# CONFIG_CRYPTO_KHAZAD is not set
 CONFIG_CRYPTO_KPP=y
 CONFIG_CRYPTO_KPP2=y
 CONFIG_CRYPTO_LIB_AES=y
@@ -2345,7 +2345,7 @@ CONFIG_CRYPTO_RNG2=y
 CONFIG_CRYPTO_RNG_DEFAULT=y
 CONFIG_CRYPTO_RSA=y
 CONFIG_CRYPTO_SALSA20=m
-CONFIG_CRYPTO_SEED=m
+# CONFIG_CRYPTO_SEED is not set
 CONFIG_CRYPTO_SEQIV=y
 CONFIG_CRYPTO_SERPENT=m
 CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
@@ -2386,7 +2386,7 @@ CONFIG_CRYPTO_SM4=m
 CONFIG_CRYPTO_SM4_ARM64_CE=m
 CONFIG_CRYPTO_STATS=y
 CONFIG_CRYPTO_STREEBOG=m
-CONFIG_CRYPTO_TEA=m
+# CONFIG_CRYPTO_TEA is not set
 CONFIG_CRYPTO_TEST=m
 CONFIG_CRYPTO_TGR192=m
 CONFIG_CRYPTO_TWOFISH=m
@@ -2397,7 +2397,7 @@ CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
 CONFIG_CRYPTO_USER=m
 CONFIG_CRYPTO_USER_API=m
 CONFIG_CRYPTO_USER_API_AEAD=m
-CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y
+# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set
 CONFIG_CRYPTO_USER_API_HASH=m
 CONFIG_CRYPTO_USER_API_RNG=m
 # CONFIG_CRYPTO_USER_API_RNG_CAVP is not set
-- 
2.29.1

More information about the kernel-team mailing list