[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZTIWHwTr7YKvvov0@gondor.apana.org.au>
Date: Fri, 20 Oct 2023 13:54:39 +0800
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Dimitri John Ledkov <dimitri.ledkov@...onical.com>
Cc: David Howells <dhowells@...hat.com>,
"David S. Miller" <davem@...emloft.net>, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] crypto: mscode_parser: remove sha224 authenticode support
On Tue, Oct 10, 2023 at 10:25:29PM +0100, Dimitri John Ledkov wrote:
> It is possible to stand up own certificates and sign PE-COFF binaries
> using SHA-224. However it never became popular or needed since it has
> similar costs as SHA-256. Windows Authenticode infrastructure never
> had support for SHA-224, and all secureboot keys used fro linux
> vmlinuz have always been using at least SHA-256.
>
> Given the point of mscode_parser is to support interoperatiblity with
> typical de-facto hashes, remove support for SHA-224 to avoid
> posibility of creating interoperatibility issues with rhboot/shim,
> grub, and non-linux systems trying to sign or verify vmlinux.
>
> SHA-224 itself is not removed from the kernel, as it is truncated
> SHA-256. If requested I can write patches to remove SHA-224 support
> across all of the drivers.
>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@...onical.com>
> ---
> crypto/asymmetric_keys/mscode_parser.c | 3 ---
> 1 file changed, 3 deletions(-)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists