| Message ID | 20220709211849.210850-3-ebiggers@kernel.org (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | crypto: make the sha1 library optional | expand |
On Sat, Jul 09, 2022 at 02:18:49PM -0700, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Since the Linux RNG no longer uses sha1_transform(), the SHA-1 library > is no longer needed unconditionally. Make it possible to build the > Linux kernel without the SHA-1 library by putting it behind a kconfig > option, and selecting this new option from the kconfig options that gate > the remaining users: CRYPTO_SHA1 for crypto/sha1_generic.c, BPF for > kernel/bpf/core.c, and IPV6 for net/ipv6/addrconf.c. > > Unfortunately, since BPF is selected by NET, for now this can only make > a difference for kernels built without networking support. Seems like a step in the right direction, thanks. Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
On Sat, 9 Jul 2022 14:18:49 -0700 Eric Biggers wrote: > Since the Linux RNG no longer uses sha1_transform(), the SHA-1 library > is no longer needed unconditionally. Make it possible to build the > Linux kernel without the SHA-1 library by putting it behind a kconfig > option, and selecting this new option from the kconfig options that gate > the remaining users: CRYPTO_SHA1 for crypto/sha1_generic.c, BPF for > kernel/bpf/core.c, and IPV6 for net/ipv6/addrconf.c. > > Unfortunately, since BPF is selected by NET, for now this can only make > a difference for kernels built without networking support. > diff --git a/init/Kconfig b/init/Kconfig > index c984afc489dead..d8d0b4bdfe4195 100644 > --- a/init/Kconfig > +++ b/init/Kconfig > @@ -1472,6 +1472,7 @@ config HAVE_PCSPKR_PLATFORM > # interpreter that classic socket filters depend on > config BPF > bool > + select CRYPTO_LIB_SHA1 > Let's give it an explicit CC: bpf@ > diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig > index bf2e5e5fe14273..658bfed1df8b17 100644 > --- a/net/ipv6/Kconfig > +++ b/net/ipv6/Kconfig > @@ -7,6 +7,7 @@ > menuconfig IPV6 > tristate "The IPv6 protocol" > default y > + select CRYPTO_LIB_SHA1 > help > Support for IP version 6 (IPv6). FWIW: Acked-by: Jakub Kicinski <kuba@kernel.org>
On Mon, Jul 11, 2022 at 11:22 AM Jakub Kicinski <kuba@kernel.org> wrote: > > On Sat, 9 Jul 2022 14:18:49 -0700 Eric Biggers wrote: > > Since the Linux RNG no longer uses sha1_transform(), the SHA-1 library > > is no longer needed unconditionally. Make it possible to build the > > Linux kernel without the SHA-1 library by putting it behind a kconfig > > option, and selecting this new option from the kconfig options that gate > > the remaining users: CRYPTO_SHA1 for crypto/sha1_generic.c, BPF for > > kernel/bpf/core.c, and IPV6 for net/ipv6/addrconf.c. > > > > Unfortunately, since BPF is selected by NET, for now this can only make > > a difference for kernels built without networking support. > > > diff --git a/init/Kconfig b/init/Kconfig > > index c984afc489dead..d8d0b4bdfe4195 100644 > > --- a/init/Kconfig > > +++ b/init/Kconfig > > @@ -1472,6 +1472,7 @@ config HAVE_PCSPKR_PLATFORM > > # interpreter that classic socket filters depend on > > config BPF > > bool > > + select CRYPTO_LIB_SHA1 > > > > Let's give it an explicit CC: bpf@ > > > diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig > > index bf2e5e5fe14273..658bfed1df8b17 100644 > > --- a/net/ipv6/Kconfig > > +++ b/net/ipv6/Kconfig > > @@ -7,6 +7,7 @@ > > menuconfig IPV6 > > tristate "The IPv6 protocol" > > default y > > + select CRYPTO_LIB_SHA1 > > help > > Support for IP version 6 (IPv6). > > FWIW: > Acked-by: Jakub Kicinski <kuba@kernel.org> Acked-by: Alexei Starovoitov <ast@kernel.org> I believe I found the right full patch set in lore. In the future (if there are follow ups) please cc the full patchset to us. Thanks!
diff --git a/crypto/Kconfig b/crypto/Kconfig index 59489a300cd100..bf15ca5eb9d367 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -880,6 +880,7 @@ config CRYPTO_RMD160 config CRYPTO_SHA1 tristate "SHA1 digest algorithm" select CRYPTO_HASH + select CRYPTO_LIB_SHA1 help SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2). diff --git a/init/Kconfig b/init/Kconfig index c984afc489dead..d8d0b4bdfe4195 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1472,6 +1472,7 @@ config HAVE_PCSPKR_PLATFORM # interpreter that classic socket filters depend on config BPF bool + select CRYPTO_LIB_SHA1 menuconfig EXPERT bool "Configure standard kernel features (expert users)" diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 2082af43d51fbe..9ff549f63540fa 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -121,6 +121,9 @@ config CRYPTO_LIB_CHACHA20POLY1305 select CRYPTO_LIB_POLY1305 select CRYPTO_ALGAPI +config CRYPTO_LIB_SHA1 + tristate + config CRYPTO_LIB_SHA256 tristate diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index d28111ba54fcb2..919cbb2c220d61 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -34,7 +34,8 @@ libpoly1305-y := poly1305-donna32.o libpoly1305-$(CONFIG_ARCH_SUPPORTS_INT128) := poly1305-donna64.o libpoly1305-y += poly1305.o -obj-y += sha1.o +obj-$(CONFIG_CRYPTO_LIB_SHA1) += libsha1.o +libsha1-y := sha1.o obj-$(CONFIG_CRYPTO_LIB_SHA256) += libsha256.o libsha256-y := sha256.o diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig index bf2e5e5fe14273..658bfed1df8b17 100644 --- a/net/ipv6/Kconfig +++ b/net/ipv6/Kconfig @@ -7,6 +7,7 @@ menuconfig IPV6 tristate "The IPv6 protocol" default y + select CRYPTO_LIB_SHA1 help Support for IP version 6 (IPv6).