[RFC PATCH v1] module: sign with sha512 by default to avoid build errors

From: Thorsten Leemhuis
Date: Thu Oct 10 2024 - 03:01:05 EST

Next message: Jan Beulich: "Re: [PATCH] xen: Remove config dependency in XEN_PRIVCMD definition"
Previous message: Karol Kosik: "[PATCH] ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set()"
Next in thread: Thorsten Leemhuis: "Re: [RFC PATCH v1] module: sign with sha512 by default to avoid build errors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Avoid build errors with allmodconfig on Fedora Linux 41+ by reordering
the Kconfig choices so modules are signed with sha512 by default. That
way sha1 will be avoided, which beforehand was chosen by default on
x86_64 when running allmodconfig -- which on the latest Fedora leads to
the following build error when building the certs/ directory:

80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1
make[4]: *** Deleting file 'certs/signing_key.pem'
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2
make[2]: *** [.../Makefile:1936: .] Error 2
make[1]: *** [.../Makefile:224: __sub-make] Error 2
make[1]: Leaving directory '...'
make: *** [Makefile:224: __sub-make] Error 2

OpenSSL causes that error, as it now distrusts sha1 signatures by
default on Fedora[1]. This can be worked around locally by switching to
an earlier policy using 'update-crypto-policies --set FEDORA40'.

This change makes things work by default again and will avoid similar
problems on other distributions, as those sooner or later are likely to
apply similar measures; for regular users this likely is a wise move,
too.

Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [1]
Signed-off-by: Thorsten Leemhuis <linux@xxxxxxxxxxxxx>
---

Lo! This is a submission in the style of "I don't know what I'm doing
and this patch is mainly meant to start a discussion to resolve a
problem I ran into". The patch solved the problem for me, but there
might be a better way to make Kconfig use sha512 by default -- ideally
while keeping the menu in an order that makes more sense for humans.

I furthermore chose sha512 without any strong reasons; I first
considered sha256, but then settled on sha512 because Fedora uses it. So
I'm not attached to this. Ciao, Thorsten
---
kernel/module/Kconfig | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 7c6588148d42d3..3647ff25d49d67 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -238,18 +238,6 @@ choice
possible to load a signed module containing the algorithm to check
the signature on that module.

-config MODULE_SIG_SHA1
- bool "SHA-1"
- select CRYPTO_SHA1
-
-config MODULE_SIG_SHA256
- bool "SHA-256"
- select CRYPTO_SHA256
-
-config MODULE_SIG_SHA384
- bool "SHA-384"
- select CRYPTO_SHA512
-
config MODULE_SIG_SHA512
bool "SHA-512"
select CRYPTO_SHA512
@@ -266,6 +254,18 @@ config MODULE_SIG_SHA3_512
bool "SHA3-512"
select CRYPTO_SHA3

+config MODULE_SIG_SHA384
+ bool "SHA-384"
+ select CRYPTO_SHA512
+
+config MODULE_SIG_SHA256
+ bool "SHA-256"
+ select CRYPTO_SHA256
+
+config MODULE_SIG_SHA1
+ bool "SHA-1"
+ select CRYPTO_SHA1
+
endchoice

config MODULE_SIG_HASH

base-commit: d3d1556696c1a993eec54ac585fe5bf677e07474
--
2.45.0

Next message: Jan Beulich: "Re: [PATCH] xen: Remove config dependency in XEN_PRIVCMD definition"
Previous message: Karol Kosik: "[PATCH] ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set()"
Next in thread: Thorsten Leemhuis: "Re: [RFC PATCH v1] module: sign with sha512 by default to avoid build errors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]