Re: Re: [PATCH] backports: crypto user - make NETLINK_CRYPTO work

From: Jianmin Wang <jianmin@iscas.ac.cn>
To: gregkh@linuxfoundation.org
Cc: davem@davemloft.net, dzickus@redhat.com,
	herbert@gondor.apana.org.au, jianmin@iscas.ac.cn,
	linux-crypto@vger.kernel.org, netdev@vger.kernel.org,
	omosnace@redhat.com, smueller@chronox.de, stable@vger.kernel.org,
	steffen.klassert@secunet.com
Subject: Re: Re: [PATCH] backports: crypto user - make NETLINK_CRYPTO work
Date: Thu,  8 Apr 2021 19:11:48 +0000	[thread overview]
Message-ID: <20210408191148.51259-1-jianmin@iscas.ac.cn> (raw)
In-Reply-To: <YGs3Voq0codXCHbA@kroah.com>

On Mon, Apr 05, 2021 at 16:14 UTC, Greg KH wrote:
> On Mon, Apr 05, 2021 at 01:55:15PM +0000, Jianmin Wang wrote:
> > There is same problem found in linux 4.19.y as upstream commit. The 
> > changes of crypto_user_* and cryptouser.h files from upstream patch are merged into 
> > crypto/crypto_user.c for backporting.
> > 
> > Upstream commit:
> >     commit 91b05a7e7d8033a90a64f5fc0e3808db423e420a
> >     Author: Ondrej Mosnacek <omosnace@redhat.com>
> >     Date:   Tue,  9 Jul 2019 13:11:24 +0200
> > 
> >     Currently, NETLINK_CRYPTO works only in the init network namespace. It
> >     doesn't make much sense to cut it out of the other network namespaces,
> >     so do the minor plumbing work necessary to make it work in any network
> >     namespace. Code inspired by net/core/sock_diag.c.
> > 
> >     Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> >     Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
> > 
> > Signed-off-by: Jianmin Wang <jianmin@iscas.ac.cn>
> > ---
> >  crypto/crypto_user.c        | 37 +++++++++++++++++++++++++------------
> >  include/net/net_namespace.h |  3 +++
> >  2 files changed, 28 insertions(+), 12 deletions(-)
> 
> How does this change fit with the stable kernel rules?  It looks to be a
> new feature, if you need this, why not just use a newer kernel version?
> What is preventing you from doing that?
> 

This problem was found when we deployed new services on our container cluster, 
while the new services need to invoke libkcapi in the container environment.

We have verified that the problem doesn't exist on newer kernel version. 
However, due to many services and the cluster running on many server machines 
whose host os are long-term linux distribution with linux 4.19 kernel, it will 
cost too much to migrate them to newer os with newer kernel version. This is 
why we need to fix the problem on linux 4.19.

Only when we run docker with param --net=host, the libkcapi can be invoked 
properly. Otherwise, almost all test cases in smuellerDD/libkcapi [1] will 
failed with same error as below:

    libkcapi - Error: Netlink error: sendmsg failed
    libkcapi - Error: Netlink error: sendmsg failed
    libkcapi - Error: NETLINK_CRYPTO: cannot obtain cipher information for 
      hmac(sha1) (is required crypto_user.c patch missing? see documentation)

The cause is same as statement in upstream commit 91b05a7e, which is that 
NETLINK_CRYPTO works only in the init network namespace.

In my opinion, there are still many linux distribution running with linux 4.19 
or similar version, such as Debian 10 with linux 4.19, CentOS 8 with linux 4.18
and also their derivatives. If other people want to use libkcapi in container 
environment, they will also be bothered by this problem. [2]

So I think this patch meet two rules in stable kernel rules: It must fix a real
bug that bothers people and the upstream commit 91b05a7e exists in Linus's tree
from linux 5.4.

Thanks for your review and reply.

--
Email: Jianmin Wang <jianmin@iscas.ac.cn>