The Hog wrote: > I have read some docs about dm-crypt and the crypto-api. It seems that the > crypto stuff is added to the kernel since 2.6.4. A possibility thus would be > to use an older kernel that does not contain the crypto stuff. Will a 2.4 > kernel do, or does that also contain crypto algo's?
I don't think CryptoAPI infrastructure is the issue. The particular algorithms are. I.e. disable all algorithms in "make menuconfig" -> "Cryptographic options" and remove the source files from linux/crypto/ You can leave the "Null algorithms" there, they'll hardly be considered "cryptographically secure". Also think about some hardare specific drivers. While PadLock and S/390 are probably harmless as they don't implement the algorithms but only call hardware to do it, things like aes-i586 or aes-x86_64 are to be removed as well. You're right that CryptoAPI was added in 2.6 kernels, however I'm not sure that some other parts of the kernel don't have their own crypto implementations. There probably won't be any cipher algos lying around, but I'm not so sure about digests. IIRC PRNG has some form of stripped down MD4 (?) in it. There is linux/lib/sha1.c (and arch/arm/lib/sha1.c) that is used in multiple places (e.g. IPv4 SynCookies). CIFS filesystem seems to have MD4 and MD5 implementations. Etc. I just did a quick find && grep to get these results. The question is what algorithms are considered non-exportable. Does MD5 qualify now that it's proven to be weak? Can you export SHA1? In other words, you can quite easily remove sources of crypto/<algos>.c and things will work. However take care of other "hidden" implementations of digest algorithms in the kernel, these could have been present in older 2.4 kernels as well. To find out, simply remove lib/sha1.c and see what breaks ;-) HTH, Michal - To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
