Re: [PATCH] crypto: af_alg - Document the deprecation of AF_ALG

[Eric Biggers <ebiggers@kernel.org>]

On Thu, Apr 30, 2026 at 10:05:00AM +0800, Herbert Xu wrote:
> On Wed, Apr 29, 2026 at 06:15:44PM -0700, Eric Biggers wrote:
> > AF_ALG is almost completely unnecessary, and it exposes a massive attack
> > surface that hasn't been standing up to modern vulnerability discovery
> > tools.  The latest one even has its own website, providing a small
> > Python script that reliably roots most Linux distros: https://copy.fail/
> > 
> > This isn't sustainable, especially as LLMs have accelerated the rate the
> > vulnerabilities are coming in.  The effort that is being put into this
> > thing is vastly disproportional to the few programs that actually use
> > it, and those programs would be better served by userspace code anyway.
> > 
> > These issues have been noted in many mailing list discussions already.
> > But until now they haven't been reflected in the documentation or
> > kconfig menu itself, and the vulnerabilities are still coming in.
> > 
> > Let's go ahead and document the deprecation.
> > 
> > This isn't intended to change anything overnight.  After all, most Linux
> > distros won't be able to disable the kconfig options quite yet, mainly
> > because of iwd.  But this should create a bit more impetus for these
> > userspace programs to be fixed, and the documentation update should also
> > help prevent more users from appearing.
> > 
> > Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> 
> What about the exposure of akcipher through security/keys/keyctl_pkey.c?
> 
> There isn't even a Kconfig option to disable that user-space API.
> If module signatures are enabled then this automatically gets added
> to the kernel:
> 
> MODULE_SIG -> MODULE_SIG_FORMAT -> SYSTEM_DATA_VERIFICATION ->
> KEYS + ASYMMETRIC_KEY_TYPE

Yes, that would be a different patch, but KEYCTL_PKEY_* have a very
similar issue.  That should have a kconfig option added too.

I believe iwd is the main (or even only?) user there, as well.

- Eric