From: Thomas Huth <thuth@redhat.com>
To: Eric Biggers <ebiggers@kernel.org>,
linux-crypto@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Steffen Klassert <steffen.klassert@secunet.com>,
linux-s390 <linux-s390@vger.kernel.org>
Subject: Re: [PATCH 1/2] crypto: pcrypt - Remove pcrypt
Date: Tue, 14 Jul 2026 06:20:01 +0200 [thread overview]
Message-ID: <c4796562-699c-4ac2-87ea-290708ff577a@redhat.com> (raw)
In-Reply-To: <20260713223234.24812-2-ebiggers@kernel.org>
On 14/07/2026 00.32, Eric Biggers wrote:
> pcrypt was originally intended to improve IPsec performance. However,
> it's no longer useful for that. Reports from the rare cases that anyone
> has actually tried to use it over the years indicate that it actually
> reduces IPsec performance, e.g.:
>
> * https://github.com/libreswan/libreswan/wiki/Internals:-Cryptographic-Acceleration#obsoleted-ipsec-accelerations
> * https://users.strongswan.narkive.com/liqTaTq8/strongswan-problem-with-pcrypt
> * https://unix.stackexchange.com/questions/594336/ipsec-multithreading-via-pcrypt-worse-than-single-thread
>
> It's also undocumented and quite difficult to actually use. Its design
> is also broken, in that any unprivileged program can enable pcrypt
> systemwide at any time (by instantiating it using AF_ALG).
>
> Meanwhile, pcrypt has been a regular source of bugs, including at least
> four that have received CVEs.
>
> Let's just remove it. No one seems to care about it anymore other than
> people looking for vulnerabilities.
>
> Cc: Steffen Klassert <steffen.klassert@secunet.com>
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
> MAINTAINERS | 7 -
> arch/loongarch/configs/loongson32_defconfig | 1 -
> arch/loongarch/configs/loongson64_defconfig | 1 -
> arch/s390/configs/debug_defconfig | 1 -
> arch/s390/configs/defconfig | 1 -
> crypto/Kconfig | 10 -
> crypto/Makefile | 1 -
> crypto/pcrypt.c | 394 --------------------
> include/crypto/pcrypt.h | 39 --
> tools/crypto/tcrypt/tcrypt_speed_compare.py | 7 +-
> 10 files changed, 2 insertions(+), 460 deletions(-)
> delete mode 100644 crypto/pcrypt.c
> delete mode 100644 include/crypto/pcrypt.h
Thanks!
Reviewed-by: Thomas Huth <thuth@redhat.com>
next prev parent reply other threads:[~2026-07-14 4:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-13 22:32 [PATCH 0/2] Remove pcrypt Eric Biggers
2026-07-13 22:32 ` [PATCH 1/2] crypto: pcrypt - " Eric Biggers
2026-07-14 4:20 ` Thomas Huth [this message]
2026-07-13 22:32 ` [PATCH 2/2] padata: Remove serialized job support Eric Biggers
2026-07-14 4:28 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c4796562-699c-4ac2-87ea-290708ff577a@redhat.com \
--to=thuth@redhat.com \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.