| Message ID | 20250217185105.26751-1-ebiggers@kernel.org (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | Revert "fsverity: relax build time dependency on CRYPTO_SHA256" | expand |
On Mon, 17 Feb 2025 at 19:51, Eric Biggers <ebiggers@kernel.org> wrote: > > From: Eric Biggers <ebiggers@google.com> > > This reverts commit e3a606f2c544b231f6079c8c5fea451e772e1139 because it > allows people to create broken configurations that enable FS_VERITY but > not SHA-256 support. > > The commit did allow people to disable the generic SHA-256 > implementation when it's not needed. But that at best allowed saving a > bit of code. In the real world people are unlikely to intentionally and > correctly make such a tweak anyway, as they tend to just be confused by > what all the different crypto kconfig options mean. > > Of course we really need the crypto API to enable the correct > implementations automatically, but that's for a later fix. > > Cc: Ard Biesheuvel <ardb@kernel.org> > Cc: Herbert Xu <herbert@gondor.apana.org.au> > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > fs/verity/Kconfig | 8 ++------ > 1 file changed, 2 insertions(+), 6 deletions(-) > Acked-by: Ard Biesheuvel <ardb@kernel.org> > diff --git a/fs/verity/Kconfig b/fs/verity/Kconfig > index e1036e5353521..40569d3527a71 100644 > --- a/fs/verity/Kconfig > +++ b/fs/verity/Kconfig > @@ -2,17 +2,13 @@ > > config FS_VERITY > bool "FS Verity (read-only file-based authenticity protection)" > select CRYPTO > select CRYPTO_HASH_INFO > - # SHA-256 is implied as it's intended to be the default hash algorithm. > + # SHA-256 is selected as it's intended to be the default hash algorithm. > # To avoid bloat, other wanted algorithms must be selected explicitly. > - # Note that CRYPTO_SHA256 denotes the generic C implementation, but > - # some architectures provided optimized implementations of the same > - # algorithm that may be used instead. In this case, CRYPTO_SHA256 may > - # be omitted even if SHA-256 is being used. > - imply CRYPTO_SHA256 > + select CRYPTO_SHA256 > help > This option enables fs-verity. fs-verity is the dm-verity > mechanism implemented at the file level. On supported > filesystems (currently ext4, f2fs, and btrfs), userspace can > use an ioctl to enable verity for a file, which causes the > > base-commit: 0ad2507d5d93f39619fc42372c347d6006b64319 > -- > 2.48.1 >
diff --git a/fs/verity/Kconfig b/fs/verity/Kconfig index e1036e5353521..40569d3527a71 100644 --- a/fs/verity/Kconfig +++ b/fs/verity/Kconfig @@ -2,17 +2,13 @@ config FS_VERITY bool "FS Verity (read-only file-based authenticity protection)" select CRYPTO select CRYPTO_HASH_INFO - # SHA-256 is implied as it's intended to be the default hash algorithm. + # SHA-256 is selected as it's intended to be the default hash algorithm. # To avoid bloat, other wanted algorithms must be selected explicitly. - # Note that CRYPTO_SHA256 denotes the generic C implementation, but - # some architectures provided optimized implementations of the same - # algorithm that may be used instead. In this case, CRYPTO_SHA256 may - # be omitted even if SHA-256 is being used. - imply CRYPTO_SHA256 + select CRYPTO_SHA256 help This option enables fs-verity. fs-verity is the dm-verity mechanism implemented at the file level. On supported filesystems (currently ext4, f2fs, and btrfs), userspace can use an ioctl to enable verity for a file, which causes the