Re: [PATCH] Revert "fsverity: relax build time dependency on CRYPTO_SHA256"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 17 Feb 2025 at 19:51, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
>
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> This reverts commit e3a606f2c544b231f6079c8c5fea451e772e1139 because it
> allows people to create broken configurations that enable FS_VERITY but
> not SHA-256 support.
>
> The commit did allow people to disable the generic SHA-256
> implementation when it's not needed.  But that at best allowed saving a
> bit of code.  In the real world people are unlikely to intentionally and
> correctly make such a tweak anyway, as they tend to just be confused by
> what all the different crypto kconfig options mean.
>
> Of course we really need the crypto API to enable the correct
> implementations automatically, but that's for a later fix.
>
> Cc: Ard Biesheuvel <ardb@xxxxxxxxxx>
> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> ---
>  fs/verity/Kconfig | 8 ++------
>  1 file changed, 2 insertions(+), 6 deletions(-)
>

Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx>

> diff --git a/fs/verity/Kconfig b/fs/verity/Kconfig
> index e1036e5353521..40569d3527a71 100644
> --- a/fs/verity/Kconfig
> +++ b/fs/verity/Kconfig
> @@ -2,17 +2,13 @@
>
>  config FS_VERITY
>         bool "FS Verity (read-only file-based authenticity protection)"
>         select CRYPTO
>         select CRYPTO_HASH_INFO
> -       # SHA-256 is implied as it's intended to be the default hash algorithm.
> +       # SHA-256 is selected as it's intended to be the default hash algorithm.
>         # To avoid bloat, other wanted algorithms must be selected explicitly.
> -       # Note that CRYPTO_SHA256 denotes the generic C implementation, but
> -       # some architectures provided optimized implementations of the same
> -       # algorithm that may be used instead. In this case, CRYPTO_SHA256 may
> -       # be omitted even if SHA-256 is being used.
> -       imply CRYPTO_SHA256
> +       select CRYPTO_SHA256
>         help
>           This option enables fs-verity.  fs-verity is the dm-verity
>           mechanism implemented at the file level.  On supported
>           filesystems (currently ext4, f2fs, and btrfs), userspace can
>           use an ioctl to enable verity for a file, which causes the
>
> base-commit: 0ad2507d5d93f39619fc42372c347d6006b64319
> --
> 2.48.1
>
[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux