diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2025-03-26 04:31:38 +0300 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2025-03-26 04:31:38 +0300 |
| commit | a86c6d0b2ad12f6ce6560f735f4799cf1f631ab2 (patch) | |
| tree | f6ef4b4056622c9f18457711c5da598f8c6aa3e1 | |
| parent | bdab2977e47a2eac50e3a0ce23eb5eab110fd490 (diff) | |
| parent | 13dc8eb90067f3aae45269214978e552400d5e28 (diff) | |
| download | linux-a86c6d0b2ad12f6ce6560f735f4799cf1f631ab2.tar.xz | |
Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux
Pull fscrypt updates from Eric Biggers:
"A fix for an issue where CONFIG_FS_ENCRYPTION could be enabled without
some of its dependencies, and a small documentation update"
* tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux:
fscrypt: mention init_on_free instead of page poisoning
fscrypt: drop obsolete recommendation to enable optimized ChaCha20
Revert "fscrypt: relax Kconfig dependencies for crypto API algorithms"
| -rw-r--r-- | Documentation/filesystems/fscrypt.rst | 8 | ||||
| -rw-r--r-- | fs/crypto/Kconfig | 20 |
2 files changed, 10 insertions, 18 deletions
diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst index 04eaab01314b..e80329908549 100644 --- a/Documentation/filesystems/fscrypt.rst +++ b/Documentation/filesystems/fscrypt.rst @@ -137,9 +137,8 @@ However, these ioctls have some limitations: - In general, decrypted contents and filenames in the kernel VFS caches are freed but not wiped. Therefore, portions thereof may be recoverable from freed memory, even after the corresponding key(s) - were wiped. To partially solve this, you can set - CONFIG_PAGE_POISONING=y in your kernel config and add page_poison=1 - to your kernel command line. However, this has a performance cost. + were wiped. To partially solve this, you can add init_on_free=1 to + your kernel command line. However, this has a performance cost. - Secret keys might still exist in CPU registers, in crypto accelerator hardware (if used by the crypto API to implement any of @@ -428,11 +427,8 @@ API, but the filenames mode still does. - Mandatory: - CONFIG_CRYPTO_ADIANTUM - Recommended: - - arm32: CONFIG_CRYPTO_CHACHA20_NEON - arm32: CONFIG_CRYPTO_NHPOLY1305_NEON - - arm64: CONFIG_CRYPTO_CHACHA20_NEON - arm64: CONFIG_CRYPTO_NHPOLY1305_NEON - - x86: CONFIG_CRYPTO_CHACHA20_X86_64 - x86: CONFIG_CRYPTO_NHPOLY1305_SSE2 - x86: CONFIG_CRYPTO_NHPOLY1305_AVX2 diff --git a/fs/crypto/Kconfig b/fs/crypto/Kconfig index 5aff5934baa1..332d828fe6fa 100644 --- a/fs/crypto/Kconfig +++ b/fs/crypto/Kconfig @@ -24,20 +24,16 @@ config FS_ENCRYPTION # # Also note that this option only pulls in the generic implementations of the # algorithms, not any per-architecture optimized implementations. It is -# strongly recommended to enable optimized implementations too. It is safe to -# disable these generic implementations if corresponding optimized -# implementations will always be available too; for this reason, these are soft -# dependencies ('imply' rather than 'select'). Only disable these generic -# implementations if you're sure they will never be needed, though. +# strongly recommended to enable optimized implementations too. config FS_ENCRYPTION_ALGS tristate - imply CRYPTO_AES - imply CRYPTO_CBC - imply CRYPTO_CTS - imply CRYPTO_ECB - imply CRYPTO_HMAC - imply CRYPTO_SHA512 - imply CRYPTO_XTS + select CRYPTO_AES + select CRYPTO_CBC + select CRYPTO_CTS + select CRYPTO_ECB + select CRYPTO_HMAC + select CRYPTO_SHA512 + select CRYPTO_XTS config FS_ENCRYPTION_INLINE_CRYPT bool "Enable fscrypt to use inline crypto" |