[Deepin-Kernel-SIG] [linux 6.6.y] [FROMLIST] [Security] crypto: af_alg - Drop support for off-CPU cryptography

[Avenger-285714]

AF_ALG is deprecated and exposed to unprivileged userspace. Only use the least buggy algorithm implementations: the pure software ones.

This removes one of the main advantages of AF_ALG, which is the ability to use it with off-CPU accelerators. However, using off-CPU accelerators has huge overheads, both in performance and attack surface. I have yet to see real-world, performance-critical workloads where using an accelerator via AF_ALG is actually a win over doing cryptography in userspace.

If using an off-CPU accelerator really does turn out to be a win, a new API should be developed that is actually a good fit for it.

[WangYuli: Rewirte userspace-if.rst because of conflicts]

Link: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/commit/?id=7524070f26d8d347c26787dc297fb844baa26abf

Summary by Sourcery

Restrict AF_ALG userspace crypto interface to software-based Crypto API implementations and update the API and docs accordingly.

Enhancements:

• Limit AF_ALG algorithm selection to synchronous, non-allocating, non-kernel-driver-only Crypto API implementations via a new AF_ALG_CRYPTOAPI_MASK.
• Simplify the af_alg_type bind callback interface to no longer accept type and mask parameters, standardizing allocation behavior across AEAD, hash, RNG, and skcipher.
• Update the userspace Crypto API documentation to reflect the removal of off-CPU accelerator support and the new constraints on AF_ALG.

[sourcery-ai]

Reviewer's Guide

Restricts AF_ALG to use only in-kernel, synchronous, software crypto implementations by hardcoding a crypto algorithm mask and simplifying the AF_ALG bind interface, while updating all AF_ALG users and its userspace documentation accordingly.

Sequence diagram for AF_ALG bind path using restricted crypto implementations

sequenceDiagram
    actor Userspace
    participant AF_ALG_Socket as AF_ALG_socket
    participant AF_ALG_Core as alg_bind
    participant AF_ALG_Type as af_alg_type
    participant CryptoAPI

    Userspace->>AF_ALG_Socket: bind(salg_name, salg_feat, salg_mask)
    AF_ALG_Socket->>AF_ALG_Core: alg_bind(sock, sockaddr_alg)
    AF_ALG_Core->>AF_ALG_Type: bind(salg_name)
    note over AF_ALG_Type: aead_bind/hash_bind/rng_bind/skcipher_bind
    AF_ALG_Type->>CryptoAPI: crypto_alloc_* (name, 0, AF_ALG_CRYPTOAPI_MASK)
    CryptoAPI-->>AF_ALG_Type: crypto_instance
    AF_ALG_Type-->>AF_ALG_Core: private
    AF_ALG_Core-->>AF_ALG_Socket: bind result
    AF_ALG_Socket-->>Userspace: success or error

Loading

File-Level Changes

Change	Details	Files
Constrain AF_ALG algorithm selection to safe, software-only CryptoAPI implementations using a fixed mask.	Introduce AF_ALG_CRYPTOAPI_MASK that filters out async, memory-allocating, and kernel-driver-only algorithms Document that AF_ALG is exposed to possibly untrusted userspace and must avoid risky implementations	include/crypto/if_alg.h
Simplify AF_ALG type binding interface and apply the new mask to all AF_ALG algorithm allocations.	Change af_alg_type->bind signature to take only the algorithm name instead of type and mask parameters Update alg_bind() to call the new bind(name) API Update AEAD, hash, RNG, and skcipher AF_ALG frontends to use crypto_alloc_* with type=0 and mask=AF_ALG_CRYPTOAPI_MASK	include/crypto/if_alg.h crypto/af_alg.c crypto/algif_aead.c crypto/algif_hash.c crypto/algif_rng.c crypto/algif_skcipher.c
Refresh userspace AF_ALG documentation to reflect the new constraints and deprecation context.	Rewrite userspace-if.rst to resolve conflicts and describe the updated AF_ALG behavior and limitations	Documentation/crypto/userspace-if.rst

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from avenger-285714. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sourcery-ai]

Hey - I've left some high level feedback:

• AF_ALG_CRYPTOAPI_MASK duplicates FSCRYPT_CRYPTOAPI_MASK semantics; consider centralizing this mask definition in a shared header to avoid future divergence between the two.
• Since alg_bind now ignores salg_feat and salg_mask and always applies AF_ALG_CRYPTOAPI_MASK, it would be helpful to explicitly mention in the UAPI-facing docs or comments that these sockaddr fields are no longer honored and are effectively ignored.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- AF_ALG_CRYPTOAPI_MASK duplicates FSCRYPT_CRYPTOAPI_MASK semantics; consider centralizing this mask definition in a shared header to avoid future divergence between the two.
- Since alg_bind now ignores salg_feat and salg_mask and always applies AF_ALG_CRYPTOAPI_MASK, it would be helpful to explicitly mention in the UAPI-facing docs or comments that these sockaddr fields are no longer honored and are effectively ignored.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This PR tightens the AF_ALG userspace crypto interface by preventing selection of off-CPU / driver-backed Crypto API implementations, aiming to reduce attack surface and avoid problematic accelerator drivers. It also simplifies the AF_ALG type binding callback interface and updates the userspace documentation to reflect the new constraints.

Changes:

• Simplify struct af_alg_type’s bind() callback to accept only the algorithm name (dropping type/mask parameters).
• Enforce software-only / safer Crypto API implementation selection by allocating with a fixed AF_ALG_CRYPTOAPI_MASK.
• Add documentation note warning that hardware accelerator access via AF_ALG is removed.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
include/crypto/if_alg.h	Changes AF_ALG type bind API and introduces AF_ALG_CRYPTOAPI_MASK for restricting implementations.
Documentation/crypto/userspace-if.rst	Documents removal of hardware accelerator exposure via AF_ALG.
crypto/algif_skcipher.c	Allocates skcipher with fixed mask to exclude off-CPU/driver-only implementations.
crypto/algif_rng.c	Allocates RNG with fixed mask to exclude off-CPU/driver-only implementations.
crypto/algif_hash.c	Allocates ahash with fixed mask to exclude off-CPU/driver-only implementations.
crypto/algif_aead.c	Allocates AEAD with fixed mask to exclude off-CPU/driver-only implementations.
crypto/af_alg.c	Updates bind path to use the simplified bind(name) callback signature.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.