Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6bbb90f8 authored by Eric Biggers's avatar Eric Biggers Committed by Jaegeuk Kim
Browse files

fscrypt: remove selection of CONFIG_CRYPTO_SHA256 



fscrypt only uses SHA-256 for AES-128-CBC-ESSIV, which isn't the default
and is only recommended on platforms that have hardware accelerated
AES-CBC but not AES-XTS.  There's no link-time dependency, since SHA-256
is requested via the crypto API on first use.

To reduce bloat, we should limit FS_ENCRYPTION to selecting the default
algorithms only.  SHA-256 by itself isn't that much bloat, but it's
being discussed to move ESSIV into a crypto API template, which would
incidentally bring in other things like "authenc" support, which would
all end up being built-in since FS_ENCRYPTION is now a bool.

For Adiantum encryption we already just document that users who want to
use it have to enable CONFIG_CRYPTO_ADIANTUM themselves.  So, let's do
the same for AES-128-CBC-ESSIV and CONFIG_CRYPTO_SHA256.

Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: default avatarTheodore Ts'o <tytso@mit.edu>
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
parent f46df6a8

Documentation/filesystems/fscrypt.rst

+3 −1
Original line number Diff line number Diff line
@@ -191,7 +191,9 @@ Currently, the following pairs of encryption modes are supported: 
If unsure, you should use the (AES-256-XTS, AES-256-CTS-CBC) pair.



AES-128-CBC was added only for low-powered embedded devices with

crypto accelerators such as CAAM or CESA that do not support XTS.

crypto accelerators such as CAAM or CESA that do not support XTS.  To

use AES-128-CBC, CONFIG_CRYPTO_SHA256 (or another SHA-256

implementation) must be enabled so that ESSIV can be used.



Adiantum is a (primarily) stream cipher-based mode that is fast even

on CPUs without dedicated crypto instructions.  It's also a true

fs/crypto/Kconfig

+0 −1
Original line number Diff line number Diff line
@@ -6,7 +6,6 @@ config FS_ENCRYPTION 
	select CRYPTO_ECB

	select CRYPTO_XTS

	select CRYPTO_CTS

	select CRYPTO_SHA256

	select KEYS

	help

	  Enable encryption of files and directories.  This