From: Eric Biggers <ebiggers@kernel.org>
To: fsverity@lists.linux.dev
Cc: linux-crypto@vger.kernel.org, Ard Biesheuvel <ardb@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH] Revert "fsverity: relax build time dependency on CRYPTO_SHA256"
Date: Mon, 17 Feb 2025 10:51:05 -0800 [thread overview]
Message-ID: <20250217185105.26751-1-ebiggers@kernel.org> (raw)
From: Eric Biggers <ebiggers@google.com>
This reverts commit e3a606f2c544b231f6079c8c5fea451e772e1139 because it
allows people to create broken configurations that enable FS_VERITY but
not SHA-256 support.
The commit did allow people to disable the generic SHA-256
implementation when it's not needed. But that at best allowed saving a
bit of code. In the real world people are unlikely to intentionally and
correctly make such a tweak anyway, as they tend to just be confused by
what all the different crypto kconfig options mean.
Of course we really need the crypto API to enable the correct
implementations automatically, but that's for a later fix.
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
fs/verity/Kconfig | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/fs/verity/Kconfig b/fs/verity/Kconfig
index e1036e5353521..40569d3527a71 100644
--- a/fs/verity/Kconfig
+++ b/fs/verity/Kconfig
@@ -2,17 +2,13 @@
config FS_VERITY
bool "FS Verity (read-only file-based authenticity protection)"
select CRYPTO
select CRYPTO_HASH_INFO
- # SHA-256 is implied as it's intended to be the default hash algorithm.
+ # SHA-256 is selected as it's intended to be the default hash algorithm.
# To avoid bloat, other wanted algorithms must be selected explicitly.
- # Note that CRYPTO_SHA256 denotes the generic C implementation, but
- # some architectures provided optimized implementations of the same
- # algorithm that may be used instead. In this case, CRYPTO_SHA256 may
- # be omitted even if SHA-256 is being used.
- imply CRYPTO_SHA256
+ select CRYPTO_SHA256
help
This option enables fs-verity. fs-verity is the dm-verity
mechanism implemented at the file level. On supported
filesystems (currently ext4, f2fs, and btrfs), userspace can
use an ioctl to enable verity for a file, which causes the
base-commit: 0ad2507d5d93f39619fc42372c347d6006b64319
--
2.48.1
next reply other threads:[~2025-02-17 18:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-17 18:51 Eric Biggers [this message]
2025-02-17 19:15 ` [PATCH] Revert "fsverity: relax build time dependency on CRYPTO_SHA256" Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250217185105.26751-1-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=ardb@kernel.org \
--cc=fsverity@lists.linux.dev \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).