From d915182e4871927ef3f6eae9cb1df2faafc7e08d Mon Sep 17 00:00:00 2001 From: akendo Date: Thu, 16 Jul 2026 13:29:56 +0200 Subject: [PATCH] Disable CRYPTO_USER_API Based on the feedback of the CVE-2026-31431[0] and CVE-2026-31677 vulnerabilities, we should disable the CRYPTO_USER_API. The upstream kernel has marked this subsystem as deprecated. With the following recommendation[1]: It is recommended that, whenever possible, userspace programs be migrated to userspace crypto code (which again, is what is normally used anyway) and CONFIG_CRYPTO_USER_API_* be disabled. On systems that use SELinux, SELinux can also be used to restrict the use of AF_ALG to trusted programs. Since by default, Garden Linux uses OpenSSL that takes care of all necessary crypto-related code within userspace, we do not have a need for it and will follow the upstream recommendation. [0]: https://copy.fail/ [1]: https://www.kernel.org/doc/html/latest/crypto/userspace-if.html#deprecation --- config/config | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/config/config b/config/config index cf004f5..c7b806b 100644 --- a/config/config +++ b/config/config @@ -147,10 +147,10 @@ CONFIG_CRYPTO_DRBG_MENU=m CONFIG_CRYPTO_DRBG_HASH=y CONFIG_CRYPTO_DRBG_CTR=y CONFIG_CRYPTO_JITTERENTROPY=m -CONFIG_CRYPTO_USER_API_HASH=m -CONFIG_CRYPTO_USER_API_SKCIPHER=m -CONFIG_CRYPTO_USER_API_RNG=m -CONFIG_CRYPTO_USER_API_AEAD=m +CONFIG_CRYPTO_USER_API_HASH=n +CONFIG_CRYPTO_USER_API_SKCIPHER=n +CONFIG_CRYPTO_USER_API_RNG=n +CONFIG_CRYPTO_USER_API_AEAD=n # CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set ##