Skip to content

Disable CRYPTO_USER_API#323

Open
Akendo wants to merge 4 commits into
mainfrom
feature/disable_af_alg
Open

Disable CRYPTO_USER_API#323
Akendo wants to merge 4 commits into
mainfrom
feature/disable_af_alg

Conversation

@Akendo

@Akendo Akendo commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Based on the feedback of the CVE-2026-314310 and CVE-2026-31677
vulnerabilities, we should disable the CRYPTO_USER_API. The upstream
kernel has marked this subsystem as deprecated. With the following
recommendation1:

It is recommended that, whenever possible, userspace programs be
migrated to userspace crypto code (which again, is what is normally used
anyway) and CONFIG_CRYPTO_USER_API_* be disabled. On systems that use
SELinux, SELinux can also be used to restrict the use of AF_ALG to
trusted programs.

Since by default, Garden Linux uses OpenSSL that takes care of all
necessary crypto-related code within userspace, we do not have a need
for it and will follow the upstream recommendation.

Akendo added 4 commits July 6, 2026 10:18
Based on the feedback of the CVE-2026-31431[0] and CVE-2026-31677
vulnerabilities, we should disable the CRYPTO_USER_API. The upstream
kernel has marked this subsystem as deprecated. With the following
recommendation[1]:

    It is recommended that, whenever possible, userspace programs be
    migrated to userspace crypto code (which again, is what is normally used
    anyway) and CONFIG_CRYPTO_USER_API_* be disabled. On systems that use
    SELinux, SELinux can also be used to restrict the use of AF_ALG to
    trusted programs.

Since by default, Garden Linux uses OpenSSL that takes care of all
necessary crypto-related code within userspace, we do not have a need
for it and will follow the upstream recommendation.

[0]: https://copy.fail/
[1]: https://www.kernel.org/doc/html/latest/crypto/userspace-if.html#deprecation
@Akendo Akendo requested review from 5kt and SujanaSubr July 16, 2026 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant