| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADWks+ZoLs1FUJx0sSg5FBYK5BtD+Po7bRORVT4uBLM6QJxXJQ@mail.gmail.com>
Date: Wed, 25 Oct 2023 13:57:08 +0100
From: Dimitri John Ledkov <dimitri.ledkov@...onical.com>
To: Lukas Bulwahn <lukas.bulwahn@...il.com>
Cc: Herbert Xu <herbert@...dor.apana.org.au>,
David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
Jonathan Corbet <corbet@....net>,
Luis Chamberlain <mcgrof@...nel.org>,
linux-modules@...r.kernel.org, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-doc@...r.kernel.org,
kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] docs: module-signing: adjust guide after sha1 and sha224
support is gone
Hi,
On Wed, 25 Oct 2023 at 11:42, Lukas Bulwahn <lukas.bulwahn@...il.com> wrote:
>
> Commit 16ab7cb5825f ("crypto: pkcs7 - remove sha1 support") and commit
> fc3225fd6f1e ("module: Do not offer sha224 for built-in module signing")
> removes sha1 and sha224 support for kernel module signing.
>
> Adjust the module-signing admin guide documentation to those changes.
>
> Signed-off-by: Lukas Bulwahn <lukas.bulwahn@...il.com>
Note I have submitted this change as part of the patch series that
adds SHA-3 over at
https://lore.kernel.org/linux-crypto/20231022182208.188714-1-dimitri.ledkov@canonical.com/T/#m81c32a65341a4de39596b72743ba38d46899016f
But indeed, if that patch series doesn't make it into the cryptodev
tree, then this documentation should go in, and the sha-3 one rebased
/ adjusted.
Sorry for not patching documentation at the same time as the code
changes that made documentation out of date.
Acked-by: Dimitri John ledkov <dimitri.ledkov@...onical.com>
> ---
> Documentation/admin-guide/module-signing.rst | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
> index 2898b2703297..e3ea1def4c0c 100644
> --- a/Documentation/admin-guide/module-signing.rst
> +++ b/Documentation/admin-guide/module-signing.rst
> @@ -30,8 +30,8 @@ This facility uses X.509 ITU-T standard certificates to encode the public keys
> involved. The signatures are not themselves encoded in any industrial standard
> type. The facility currently only supports the RSA public key encryption
> standard (though it is pluggable and permits others to be used). The possible
> -hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, and
> -SHA-512 (the algorithm is selected by data in the signature).
> +hash algorithms that can be used are SHA-256, SHA-384, and SHA-512 (the
> +algorithm is selected by data in the signature).
>
>
> ==========================
> @@ -81,8 +81,6 @@ This has a number of options available:
> sign the modules with:
>
> =============================== ==========================================
> - ``CONFIG_MODULE_SIG_SHA1`` :menuselection:`Sign modules with SHA-1`
> - ``CONFIG_MODULE_SIG_SHA224`` :menuselection:`Sign modules with SHA-224`
> ``CONFIG_MODULE_SIG_SHA256`` :menuselection:`Sign modules with SHA-256`
> ``CONFIG_MODULE_SIG_SHA384`` :menuselection:`Sign modules with SHA-384`
> ``CONFIG_MODULE_SIG_SHA512`` :menuselection:`Sign modules with SHA-512`
> --
> 2.17.1
>
--
okurrr,
Dimitri
Powered by blists - more mailing lists