[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c94590a5-4121-497b-8529-cbab2b01fe51@leemhuis.info>
Date: Fri, 11 Oct 2024 12:27:54 +0200
From: Thorsten Leemhuis <linux@...mhuis.info>
To: Sami Tolvanen <samitolvanen@...gle.com>
Cc: sedat.dilek@...il.com, Luis Chamberlain <mcgrof@...nel.org>,
Petr Pavlu <petr.pavlu@...e.com>, Daniel Gomez <da.gomez@...sung.com>,
linux-modules@...r.kernel.org, Masahiro Yamada <masahiroy@...nel.org>,
linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v1] module: sign with sha512 by default to avoid build
errors
On 10.10.24 17:52, Sami Tolvanen wrote:
Thx for your feedback!
> On Thu, Oct 10, 2024 at 1:57 AM Thorsten Leemhuis <linux@...mhuis.info> wrote:
>> On 10.10.24 10:42, Sedat Dilek wrote:
>>> On Thu, Oct 10, 2024 at 10:29 AM Sedat Dilek <sedat.dilek@...il.com> wrote:
>>>> On Thu, Oct 10, 2024 at 10:19 AM Thorsten Leemhuis <linux@...mhuis.info> wrote:
>>>>> On 10.10.24 09:00, Thorsten Leemhuis wrote:
>
>> P.S.: Vegard Nossum mentioned in the fediverse that I could also solve
>> the problem the patch is about by adding "default MODULE_SIG_SHA512" to
>> the "choice" section; haven't tried that, but that sounds like a better
>> solution. Will likely give it a try, unless someone brings up unwanted
>> side effects this might cause.
>
> Yes, that would be a much better way to change the default. Overall,
> moving away from SHA-1 seems like a good idea and SHA-512 feels like a
> reasonable choice. Luis, do you see any issues with changing the
> default here?
So, how do I make such a default choice work without breaking the
current magic, which looks like this:
"""
config MODULE_SIG_HASH
string
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
default "sha1" if MODULE_SIG_SHA1
default "sha256" if MODULE_SIG_SHA256
default "sha384" if MODULE_SIG_SHA384
default "sha512" if MODULE_SIG_SHA512
default "sha3-256" if MODULE_SIG_SHA3_256
default "sha3-384" if MODULE_SIG_SHA3_384
default "sha3-512" if MODULE_SIG_SHA3_512
"""
Reordering those did not do the trick. And I suspect adding a
default "sha512"
would break the magic. Would dropping sha1, sha256 and sha384 from the
list be a middle ground that could work for everyone?
Ciao, Thorsten
Powered by blists - more mailing lists