Linux kernel maintainers are working on a new sysctl parameter that would allow administrators to restrict or disable the AF_ALG cryptographic interface at runtime, according to a report from Phoronix. The change, reportedly slated for kernel version 7.3, would represent the next step in a phased effort to retire an interface that has drawn sustained criticism over its security implications.

AF_ALG provides a mechanism for user-space applications to access the kernel's internal cryptographic routines directly. The interface has been characterized as a significant attack surface due to its broad exposure and complex implementation. In kernel 7.2, several AF_ALG features were removed as part of an initial deprecation push.

The proposed sysctl parameter is intended to give administrators a runtime option for closing off AF_ALG on systems that do not depend on it for legacy application support. The exact name of the parameter has not been finalized; it may ship as restrict_af_alg or an alternative designation. The core capability, however, would allow systems to reduce their attack surface without reconfiguration or downtime.

The development aligns with a broader industry trend toward offloading cryptographic operations to audited user-space libraries such as OpenSSL or libsodium rather than relying on kernel-level interfaces. Kernel developers have pursued this staged approach—feature removal in one release, runtime controls in the next—to give the ecosystem time to migrate away from AF_ALG while maintaining backward compatibility.

System administrators managing Linux infrastructure should consider auditing their environments for AF_ALG dependencies in advance of the 7.3 release. Identifying any legacy applications that rely on the interface now will help teams prepare migration paths to modern cryptographic libraries, enabling them to adopt the new restriction once it becomes available.

Readers should note that specific details, including the kernel version timeline and parameter naming, are based on the Phoronix report and remain subject to change as development progresses.


據 Phoronix 報導,Linux 內核維護者正開發一個新的 sysctl 參數,該參數將允許管理員在運行時限制或禁用 AF_ALG 加密介面。據悉,這項變更計劃用於 7.3 版內核,將代表分階段淘汰一個因安全影響而持續受到批評的介面的下一步。

AF_ALG 提供了一個機制,讓用戶空間應用程式可以直接訪問內核的內部加密例程。由於其廣泛的暴露面和複雜的實現方式,該介面被認為是一個重要的攻擊面。在 7.2 版內核中,作為初步棄用推動的一部分,已移除了 AF_ALG 的多項功能。

擬議的 sysctl 參數旨在為管理員提供一個運行時選項,以便在無需依賴 AF_ALG 支援舊版應用程式的系統上將其關閉。該參數的具體名稱尚未最終確定;可能會以 restrict_af_alg 或其他名稱推出。然而,其核心功能將使系統能夠在無需重新配置或停機的情況下減少其攻擊面。

此開發工作符合更廣泛的行業趨勢,即將加密操作轉移到經過審計的用戶空間函式庫(如 OpenSSL 或 libsodium),而非依賴內核級別的介面。內核開發者採取了這種分階段方法——在一個版本中移除功能,在下一個版本中引入運行時控制——旨在給予生態系統時間從 AF_ALG 遷移,同時維持向後兼容性。

管理 Linux 基礎設施的系統管理員應考慮在 7.3 版本發佈前,審計其環境中 AF_ALG 的依賴情況。現在識別任何依賴該介面的舊版應用程式,將有助於團隊準備遷移至現代加密函式庫的路徑,使他們能夠在新的限制措施推出時立即採用。

讀者應注意,具體細節(包括內核版本時間表和參數命名)基於 Phoronix 的報導,並可能隨著開發進展而有所變更。

新聞來源 / Original News Source