Disable CRYPTO_USER_API#323
Open
Akendo wants to merge 4 commits into
Open
Conversation
Based on the feedback of the CVE-2026-31431[0] and CVE-2026-31677 vulnerabilities, we should disable the CRYPTO_USER_API. The upstream kernel has marked this subsystem as deprecated. With the following recommendation[1]: It is recommended that, whenever possible, userspace programs be migrated to userspace crypto code (which again, is what is normally used anyway) and CONFIG_CRYPTO_USER_API_* be disabled. On systems that use SELinux, SELinux can also be used to restrict the use of AF_ALG to trusted programs. Since by default, Garden Linux uses OpenSSL that takes care of all necessary crypto-related code within userspace, we do not have a need for it and will follow the upstream recommendation. [0]: https://copy.fail/ [1]: https://www.kernel.org/doc/html/latest/crypto/userspace-if.html#deprecation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Based on the feedback of the CVE-2026-314310 and CVE-2026-31677
vulnerabilities, we should disable the CRYPTO_USER_API. The upstream
kernel has marked this subsystem as deprecated. With the following
recommendation1:
Since by default, Garden Linux uses OpenSSL that takes care of all
necessary crypto-related code within userspace, we do not have a need
for it and will follow the upstream recommendation.