Linux 7.2 Proceeding To Deprecate AF_ALG Due To "Massive Attack Surface", Drops Offloading
Posted by anh0516@reddit | linux | View on Reddit | 26 comments
2rad0@reddit
I went a step further and abolished every socket type that isn't AF_UNIX, AF_LOCAL, AF_PACKET, AF_NETLINK, or AF_INET with (IPPROTO_IP, IPPROTO_ICMP, IPPROTO_TCP, IPPROTO_UDP) from being created so I didn't have to think about this anymore.
Dwedit@reddit
Hopefully not including AF_INET6?
Anyway that would ban these: AF_AX25 Amateur radio AX.25 protocol ax25(4) AF_IPX IPX - Novell protocols AF_APPLETALK AppleTalk ddp(7) AF_X25 ITU-T X.25 / ISO/IEC 8208 protocol x25(7) AF_DECnet DECet protocol sockets AF_KEY Key management protocol, originally developed for usage with IPsec AF_NETLINK Kernel user interface device netlink(7) AF_PACKET Low-level packet interface packet(7) AF_RDS Reliable Datagram Sockets (RDS) protocol rds(7) rds-rdma(7) AF_PPPOX Generic PPP transport layer, for setting up L2 tunnels (L2TP and PPPoE) AF_LLC Logical link control (IEEE 802.2 LLC) protocol AF_IB InfiniBand native addressing AF_MPLS Multiprotocol Label Switching AF_CAN Controller Area Network automotive bus protocol AF_TIPC TIPC, "cluster domain sockets" protocol AF_BLUETOOTH Bluetooth low-level socket protocol AF_ALG Interface to kernel crypto API AF_VSOCK VSOCK (originally "VMWare VSockets") vsock(7) protocol for hypervisor-guest communication AF_KCM KCM (kernel connection multiplexer) interface AF_XDP XDP (express data path) interface
SpaghettiSort@reddit
IPv6 just isn't necessary in small and medium sized networks. I have it disabled on everything except my router. I work for a college with over 7000 community members (students, faculty, staff) and we don't use IPv6 all in any of our infrastructure.
2rad0@reddit
It's just a desktop system not a server or router but the patch script has support for patching INET6 protocol checks in
net/ipv6/af_inet6.cthough I leave it completely disabled on my systems in the socket registration check ofnet/socket.c. All I have to do is add it to a list in my shell script that does the patching.adoodle83@reddit
ummmm, why not just compile your own kernel and remove all the unnecessary modules and bloat?
Dwedit@reddit
Intel CPUs have accelerated AES since Arrandale (excluding low-end models), and stopped excluding low-end models since Skylake. Doing encryption in user mode means using those CPU extensions, so there's not really much to gain by doing it a different way.
voidvector@reddit
Those are normally exposed as CPU instructions which would be executed in whatever context it was in.
Lower-Limit3695@reddit
Arm CPUs have an optional extension for crypto in its ISA but since it's optional, it's non-universal with some arm SoCs opting for dedicated accelerators instead.
lightmatter501@reddit
Intel also ships a dedicated cryptographic accelerator on every xeon which is now losing a portable api.
MatchingTurret@reddit
I think this is about separate crypto accelerators like the one integrated into old Geode CPUs.
Kevin_Kofler@reddit
And the push towards gnomification of the Linux kernel continues. When is this feature removal craze going to stop?
Desertcow@reddit
If someone wants that feature, they can work on it and potentially get it readded
TRKlausss@reddit
I’d rather have a small kernel than a bloated one ;D
Kevin_Kofler@reddit
The kernel is already bloated beyond hope. I remember the days where you could boot a complete Red Hat Linux rescue image from a single floppy disk. Now even just the kernel is several times larger than a floppy, and kernel and initramfs together barely fit on even a CD.
beefcat_@reddit
You can easily configure and build an absolutely tiny kernel that fits comfortably on a floppy disk.
When you start adding back in device drivers and other modules for stuff that didn't even exist in 1999, you will find that your kernel gets bigger than 1.44MB. That's not bloat.
Ok-Winner-6589@reddit
Then compile It yourself?
If you expect the kernel to Boot on your system but don't won't that 60% of the Code which is just drivers, then compile It.
But it's funny that you expect It to Boot without drivers but then blame them devs when they remove stuff developed and used by incredibly old CPUs
Kevin_Kofler@reddit
Back in the day, the kernel fit on a floppy with all the drivers needed to boot, and with a text-mode rescue userspace. Those are the "drivers for outdated hardware" that they are removing now: they were incredibly small! Newer hardware is much harder to support.
TRKlausss@reddit
Back in the day, when Linus programmed it, there was only 1 system supported: his.
Now how usable is that for mainstream computing compared to what we have now?
Kevin_Kofler@reddit
That was not the "back in the day" that I meant. I explicitly referred to old versions of Red Hat Linux.
Ok-Winner-6589@reddit
Back in the day there was less hardware than now because, Guess what, when you keep drivers and have to keep adding more, the disk space increases
It's simple logic
anh0516@reddit (OP)
https://github.com/w84death/floppinux
braaaaaaainworms@reddit
please go use 9front or openbsd
flipintheair@reddit
You can absolutely launch the kernel from a floppy. Just compile it with only what you require.
iamdestroyerofworlds@reddit
But that takes effort, muuum.
MatchingTurret@reddit
Bloat is a subjective measure. This removal is more the acknowledgement that the original design is flawed and that there is a better way.
anh0516@reddit (OP)
Why don't you take over the security auditing of this subsystem?