Received: by 2002:ab2:2994:0:b0:1ef:ca3e:3cd5 with SMTP id n20csp447382lqb; Thu, 14 Mar 2024 16:39:05 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWuzWWTlOeV2u23vUTJErucMf0IoY1RYZtTwhFbT8wMIqSCjgRAecg/NV1o3LoQHwVsJVzDWcWW+ErqO3AHBEKw1cqUCCptydwEaTv6Zg== X-Google-Smtp-Source: AGHT+IE2VuJXx1rizKFPHSzbrRrJZL7DjSnJHzpb1JPRi2UMn4++VewKym7uQNG2xCsVCAHojqAH X-Received: by 2002:a05:6a21:a587:b0:1a1:e2c:6a1d with SMTP id gd7-20020a056a21a58700b001a10e2c6a1dmr4074809pzc.4.1710459545106; Thu, 14 Mar 2024 16:39:05 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710459545; cv=pass; d=google.com; s=arc-20160816; b=yREkoJTeXM9tFygUUihegdDEGJDdf920oirNG0Ls4bZ2NQsDuQIDkJ+HDWEpmSsGFS Wkt0oi9vE+UjDEAS7eD3W3aNeRevaQcy831zP/s+XZ4hBgZ2G5DfQyIlj61pgNylvZHo SumHcPuoGYc9upfiVr6lKueBh1Pq+M/a4wskF6bxc6oSdsEruxAZfuYO+QOIhxcOwaFq gVWLGm5nxJh3GZy2diRQKxr7dUaPnPqCYBP4PcKOl2UpxvTcHsMcNx4kBHrW6q3tHK1B VW37CjPQZPxkX6ZotHjNOyZrAiHcdIglzQOarETv7Mbxd2XMuWn2dn/7/97vv/n+DPzh eY/Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=GD+FyRbnheNisSAcjUykU97tzQDPhI0aQHISgMu8QeU=; fh=K77yuhaA9e/Z3mEptk9khefBSdB8rxtR27vmzAALwQI=; b=XC7DtlkDIoOt17QOGqSPR38tdE1xtxoQwbw00wqM9u2ge5ceNAD8wK+cqalE6Z6LuD g86S1pIOsBCFVOOI35Xv6w7feh/d/VIlBQM2wCgtr7d9+OinHGq8v7FOwRzl3wLNTLit AL0pvsNOGvh+h1Ly2Yp+jP60szAOgJMYbSlz3U/YJqnlhSVmV5SUrGzdehuUq2KXGkjn nDzLuDJYET6vUnVNgwRuC6DhGJg/f8JlSCbzb7ky80MiBt1k1SidEUERm2scjOtvKJgo q41bOXeYi0eTr1K5zH4E0aiy10yA3/26bAcLf2cAWs/f94IqhjoEqXr/w9LXpVnUf6v0 wVIA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SowCYaPC; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-wireless+bounces-4781-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-4781-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id r6-20020aa78446000000b006e6ca7264b0si2366758pfn.42.2024.03.14.16.39.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Mar 2024 16:39:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless+bounces-4781-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SowCYaPC; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-wireless+bounces-4781-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-4781-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id BA0C6282D1E for ; Thu, 14 Mar 2024 23:39:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3786C111A2; Thu, 14 Mar 2024 23:38:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SowCYaPC" X-Original-To: linux-wireless@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB84113FE7; Thu, 14 Mar 2024 23:38:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710459539; cv=none; b=Nv6m7LKbpHiTfU7SYeprMQLT3x/qrEKT4P6uOtsGb5bRwC9JJKzMnzU0AEjQVZd+rP/oqI1/uQD1CWZTjF1/L4k+xmSreoBaqurYtILR+A6oHwzDnmnf/XHC467zeMBkswJC6sosCIxyN27oEjW7oioE9Lgn5NpcXD7+95CEkno= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710459539; c=relaxed/simple; bh=ToO7+GC40SPPq/DJBkYHMz5VkP5cIZgxtl9+T1qyeNw=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=FX4en9A/QOie8YbNpuWQN/z2ef0M8KeubaF9OiBzH7ymaaGPgdhX1XOqr4EHPpSUTHZZlky0dOtMQGih/pOC8Z8QLTjp++TWB2xEqOqx5ZeF7XU26Syr98VovRFh4fEXmgD0UTTocR9GFNhVDoMeELa2+AGH3S+NaY7iJCt06yY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SowCYaPC; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 957B9C43601; Thu, 14 Mar 2024 23:38:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1710459538; bh=ToO7+GC40SPPq/DJBkYHMz5VkP5cIZgxtl9+T1qyeNw=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=SowCYaPCOLjEnDgHQ2XC7R0LqG8iVH1tSpqaCRt02cjOZBaHctbbQFmzEqjRcvhmj i/Zv0c3M92heLQdOgfA7NRi08RATmBjbXeesA48ueQQzaTtz4oMZJC+BryGvTZ5lm3 hO56AiCBUqrXAEan0fgh5ziDS9R32mi6gkiDZJxFX6Tr8T275Z2BSpkjdh5qiRIEDa /g22lzM98Iq3qxplKJI1PJDely87LNSOCGJT/fh/f8iXg2Z/v7lVh3UzAkWK6HdC8Z bvJhRgLIhynwbMDwZicreJqGkqeTdLFI23xGNjsyjPB+cNlOpR29hGWDtjed/bGmM8 7bHtbgf2uwG1Q== Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-2d4360ab3daso19976631fa.3; Thu, 14 Mar 2024 16:38:58 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCWd2Px/Af6sDtDIT8cbm+QE6lgHKXyCWAQCf3vBqr8tyO8+A83j8fPqfatAzq+Ag/2pojYzm1AWZC60+oeOL/mkfrRaHWXYHVwDYLb1JCaBy1pb1RChTMzSoCCSbD9/Hh6FewnSjf+JaeyqVrtTZXtEZrRP+z0P5DhCqugdfBPeBsb7+wNFI5dz8df9kf4iLenMbUMbo9j2FmGL7p+cEuKYnikYyOmUFVhwvknmgSPLXAhREwx7PhAV8mTuR9UTq37e0FXoKHQwfqByE7+6GBt1pmmaEJx41LIWL7c= X-Gm-Message-State: AOJu0YxhxQM6KkgZsEklxfjW5qw2KmMnrPUoyl9vT+Le4EedwOsVwDeO d8u/W51X0Z7sa1wwOfOfPwffsTtzDfYNQQ1+/aKnGGeJoniGAAAIFLIbcYajObokB4O3c5TcpdA RHU6s4MximEJPvz2HYU3TJcLUZxE= X-Received: by 2002:a2e:9a8a:0:b0:2d2:3fac:5fdc with SMTP id p10-20020a2e9a8a000000b002d23fac5fdcmr2171806lji.10.1710459536886; Thu, 14 Mar 2024 16:38:56 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <005f998ec59e27633b1b99fdf929e40ccfd401c1.camel@sipsolutions.net> <20240313194423.GA1111@sol.localdomain> <20240313202223.GB1111@sol.localdomain> <20240313221043.GC1111@sol.localdomain> <20240313230611.GD1111@sol.localdomain> <20240314202011.GB1132@sol.localdomain> In-Reply-To: <20240314202011.GB1132@sol.localdomain> From: Ard Biesheuvel Date: Fri, 15 Mar 2024 00:38:45 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [REGRESSION] Re: [PATCH] crypto: pkcs7: remove sha1 support To: Eric Biggers Cc: James Prestwood , Jeff Johnson , Johannes Berg , Karel Balej , dimitri.ledkov@canonical.com, alexandre.torgue@foss.st.com, davem@davemloft.net, dhowells@redhat.com, herbert@gondor.apana.org.au, keyrings@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-modules@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, mcgrof@kernel.org, mcoquelin.stm32@gmail.com, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, iwd@lists.linux.dev Content-Type: text/plain; charset="UTF-8" On Thu, 14 Mar 2024 at 21:20, Eric Biggers wrote: > > On Thu, Mar 14, 2024 at 04:52:47AM -0700, James Prestwood wrote: > > IWD uses AF_ALG/keyctl for _all_ its crypto, cipher, and checksum needs. > > Anything that wifi requires as far as crypto goes IWD uses the kernel, > > except ECC is the only exception. The entire list of crypto requirements > > (for full support at least) for IWD is here: > > > > https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/tools/test_runner_kernel_config > > That's quite an extensive list, and it's not documented in the iwd README. > Don't you get bug reports from users who are running a kernel that's missing one > of those options? > > > For KEYCTL_PKEY_* specifically we use it for all asymmetric crypto > > operations, (query), encrypt, decrypt, sign, verify. > > > > I'll be honest, the AF_ALG/keyctl support in ELL was mostly done by the time > > I started working on IWD so I was not aware the documentation was so poor. > > That is an entirely separate issue than this IMO, and I'm happy to help with > > getting docs updated to include a proper list of supported features. In > > addition maybe some automated testing that gets run on kernel builds which > > actually exercises this API so it doesn't get accidentally get broken in the > > future? Docs/tests IMO are the proper "fix" here, not telling someone to > > stop using an API that has existed a long time. > > I looked into the history, and it seems the KEYCTL_PKEY_* APIs were added as a > collaboration between the iwd developers and the kernel keyrings maintainer. > So, as far as I can tell, it's not that the kernel had an existing API that iwd > started using. It's that iwd got some APIs added to the kernel for themselves. > KEYCTL_PKEY_* don't seem to have been adopted elsewhere; Debian Code Search > doesn't return any notable results. keyctl does provide a command-line > interface to them, but I can't find any users of the keyctl commands either. > > Then, everyone disappeared and it got dumped on the next generation of kernel > developers, who often don't know that this API even exists. And since the API > is also poorly specified and difficult to maintain (e.g., changing a seemingly > unrelated part of the kernel can break it), the results are predictable... And > of course the only thing that breaks is iwd, since it's the only user. > > It would be worth taking a step back and looking at the overall system > architecture here. Is this the best way to ensure a reliable wireless > experience for Linux users? > > Maybe it's time to admit that KEYCTL_PKEY_* was basically an experiment, and a > different direction (e.g. using OpenSSL) should be taken... > > (Another issue with the kernel keyrings stuff is that provides a significant > attack surface for the kernel to be exploited.) > > If you do decide to continue with the status quo, it may be necessary for the > iwd developers to take a more active role in maintaining this API in order to > ensure it continues working properly for you. > > AF_ALG is on *slightly* firmer ground since it's been around for longer, is > properly part of the crypto subsystem, and has a few other users. Unfortunately > it still suffers from the same issues though, just to a slightly lesser degree. > We dropped MD4 because there are no users in the kernel. It is not the kernel's job to run code on behalf of user space if it does not require any privileges and can therefore execute in user space directly. The fact that AF_ALG permits this is a huge oversight on the part of the kernel community, and a major maintenance burden. The point of AF_ALG was to expose hardware crypto accelerators (which are shared resources that /need/ to be managed by the kernel) to user space, and we inadvertently ended up allowing the kernel's pure-software algorithms to be used in the same way. The fact that we even added APIs to the kernel to accommodate iwd is even worse. It means system call overhead (which has become worse due to all the speculation mitigations) to execute some code that could execute in user space just as well, which is a bad idea for other reasons too (for instance, accelerated crypto that uses SIMD in the kernel disables preemption on many architectures, resulting in scheduling jitter) Note that in the case of iwd, it is unlikely that the use of AF_ALG could ever result in meaningful use of hardware accelerators: today's wireless interfaces don't use software crypto for the bulk of the data (i.e., the packets themselves) and the wireless key exchange protocols etc are unlikely to be supported in generic crypto accelerators, and even if they were, the latency would likely result in worse performance overall than a software implementation. So iwd's deliberate choice to use the kernel as a crypto library is severely misguided. I have made the same point 4 years ago when I replaced iwd's use of the kernel's ecb(arc4) code with a suitable software implementation (3 files changed, 53 insertions, 40 deletions). Of course, replacing other algorithms will take more work than that, but it is the only sensible approach. We all know the cat is out of the bag when it comes to AF_ALG, and we simply have to retain all those broken algorithms as executable code at the kernel's privileged execution level, just in case some user space is still around that relies on it. But that doesn't mean we cannot be very clear about our preferred way forward.