Re: [PATCH v2] module: sign with sha512 instead of sha1 by default

From: Thorsten Leemhuis
Date: Sat Jan 04 2025 - 04:43:54 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH net-next v4 27/27] dt-bindings: net: pse-pd: ti,tps23881: Add interrupt description"
Previous message: Krzysztof Kozlowski: "Re: [PATCH net-next v4 18/27] regulator: dt-bindings: Add regulator-power-budget property"
Next in thread: Petr Pavlu: "Re: [PATCH v2] module: sign with sha512 instead of sha1 by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 20.10.24 00:57, Luis Chamberlain wrote:
> On Wed, Oct 16, 2024 at 04:18:41PM +0200, Thorsten Leemhuis wrote:
>> Switch away from using sha1 for module signing by default and use the
>> more modern sha512 instead, which is what among others Arch, Fedora,
>> RHEL, and Ubuntu are currently using for their kernels.
>>
>> Sha1 has not been considered secure against well-funded opponents since
>> 2005[1]; since 2011 the NIST and other organizations furthermore
>> recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora
>> Linux 41+[3], and likely some other current and future distributions
>> reject the creation of sha1 signatures, which leads to a build error of
>> allmodconfig configurations:
>>
>> 80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
>> make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1
>> make[4]: *** Deleting file 'certs/signing_key.pem'
>> make[4]: *** Waiting for unfinished jobs....
>> make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2
>> make[2]: *** [.../Makefile:1936: .] Error 2
>> make[1]: *** [.../Makefile:224: __sub-make] Error 2
>> make[1]: Leaving directory '...'
>> make: *** [Makefile:224: __sub-make] Error 2
>>
>> This change makes allmodconfig work again and sets a default that is
>> more appropriate for current and future users, too.
>>
>> Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1]
>> Link: https://csrc.nist.gov/projects/hash-functions [2]
>> Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3]
>> Signed-off-by: Thorsten Leemhuis <linux@xxxxxxxxxxxxx>
>
> Thanks!
>
> Tested-by: kdevops <kdevops@xxxxxxxxxxxxxxx> [0]
> Links: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 # [0]
>
> Applied and pushed!

Lo! Just wandering: what happened to that patch? That reply made me
assume that the patch was heading towards mainline, but it seems it's
not even in -next. Were there problems and it was dropped or something?

Ciao, Thorsten

Next message: Krzysztof Kozlowski: "Re: [PATCH net-next v4 27/27] dt-bindings: net: pse-pd: ti,tps23881: Add interrupt description"
Previous message: Krzysztof Kozlowski: "Re: [PATCH net-next v4 18/27] regulator: dt-bindings: Add regulator-power-budget property"
Next in thread: Petr Pavlu: "Re: [PATCH v2] module: sign with sha512 instead of sha1 by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]