Bug#976635: linux-image-arm64: Accelerated crypto modules missing from kernel config
Package: linux-image-arm64
Version: 5.9.6-1~bpo10+1
Severity: important
Dear Maintainer,
Currently, arm64 kernel packages are built with the following Kconfig symbols unset:
# CONFIG_CRYPTO_SHA512_ARM64 is not set
# CONFIG_CRYPTO_SHA512_ARM64_CE is not set
# CONFIG_CRYPTO_SHA3_ARM64 is not set
# CONFIG_CRYPTO_SM3_ARM64_CE is not set
# CONFIG_CRYPTO_SM4_ARM64_CE is not set
# CONFIG_CRYPTO_CRCT10DIF_ARM64_CE is not set
# CONFIG_CRYPTO_AES_ARM64_NEON_BLK is not set
# CONFIG_CRYPTO_AES_ARM64_BS is not set
Please consider enabling these as modules. The latter two are especially relevant, given that scalar AES is susceptible to known-plaintext attacks on the key due to the fact that it is not time invariant. While most arm64 SoCs implement the AES instructions and therefore don't rely on these modules, notable SoCs such as the Raspberry Pi 3 and 4 can only use the NEON version which is not enabled here. (And on these platforms, these are substantially faster too)
-- System Information:
Debian Release: 10.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: arm64 (aarch64)
Kernel: Linux 5.9.0-0.bpo.2-arm64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-image-arm64 depends on:
ii linux-image-5.9.0-0.bpo.2-arm64 5.9.6-1~bpo10+1
linux-image-arm64 recommends no packages.
linux-image-arm64 suggests no packages.
-- no debconf information
Reply to: