Control: tags -1 + moreinfo Hi,
On Tue, May 05, 2026 at 11:20:17AM +0200, Chris Hofstädtler wrote: > Source: linux > Severity: normal > Tags: security > X-Debbugs-Cc: Debian Security Team <[email protected]> > > Hi, > > people claim that the crypto API is a source of security issues when > (mis-)used by user space. LWN commenters on the recent algif_aead > issue have some more notes: > > https://lwn.net/Articles/1070682/ > > partial quotes: > > > found only 6 packages that use it: iproute2, util-linux, bluez, > > qtconnectivity, openssl, and ell > > [..] As far I know, the only thing that uses algif_aead is bluetooth-meshd > > > Yes, it's only a small set of userspace programs that made the > > shortsighted decision to use AF_ALG, instead of following the > > standard practice of using a userspace crypto library. > > Help fixing these userspace programs would be greatly appreciated. > > It would be really impactful, as it would allow more people to > > disable CONFIG_CRYPTO_USER_API_* in their kernels. > > https://lwn.net/Articles/1070960/ > > > it's primarily intended as an interface for some hardware crypto > > acceleration engines (like AMD's CCP, on systems it works in > > anyway) > > > So it appears there are some tradeoffs to be made. Please take a > look and consider turning the crypto user api off. That will be up for further discussion in the kernel-team meeting. I wonder if we already can do that. There was the following follup as well from Eric: https://www.openwall.com/lists/oss-security/2026/05/06/5 Will iwd still work if we disable i now? Regards, Salvatore
