| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d9ace384-07bb-4fa4-9590-9f739be8e3f5@suse.com> Date: Mon, 6 Jan 2025 15:05:06 +0100 From: Petr Pavlu <petr.pavlu@...e.com> To: Thorsten Leemhuis <linux@...mhuis.info> Cc: Luis Chamberlain <mcgrof@...nel.org>, Sami Tolvanen <samitolvanen@...gle.com>, Daniel Gomez <da.gomez@...sung.com>, linux-modules@...r.kernel.org, Masahiro Yamada <masahiroy@...nel.org>, linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] module: sign with sha512 instead of sha1 by default On 1/4/25 10:43, Thorsten Leemhuis wrote: > On 20.10.24 00:57, Luis Chamberlain wrote: >> On Wed, Oct 16, 2024 at 04:18:41PM +0200, Thorsten Leemhuis wrote: >>> Switch away from using sha1 for module signing by default and use the >>> more modern sha512 instead, which is what among others Arch, Fedora, >>> RHEL, and Ubuntu are currently using for their kernels. >>> >>> Sha1 has not been considered secure against well-funded opponents since >>> 2005[1]; since 2011 the NIST and other organizations furthermore >>> recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora >>> Linux 41+[3], and likely some other current and future distributions >>> reject the creation of sha1 signatures, which leads to a build error of >>> allmodconfig configurations: >>> >>> 80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342: >>> make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1 >>> make[4]: *** Deleting file 'certs/signing_key.pem' >>> make[4]: *** Waiting for unfinished jobs.... >>> make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2 >>> make[2]: *** [.../Makefile:1936: .] Error 2 >>> make[1]: *** [.../Makefile:224: __sub-make] Error 2 >>> make[1]: Leaving directory '...' >>> make: *** [Makefile:224: __sub-make] Error 2 >>> >>> This change makes allmodconfig work again and sets a default that is >>> more appropriate for current and future users, too. >>> >>> Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1] >>> Link: https://csrc.nist.gov/projects/hash-functions [2] >>> Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3] >>> Signed-off-by: Thorsten Leemhuis <linux@...mhuis.info> >> >> Thanks! >> >> Tested-by: kdevops <kdevops@...ts.linux.dev> [0] >> Links: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 # [0] >> >> Applied and pushed! > > Lo! Just wandering: what happened to that patch? That reply made me > assume that the patch was heading towards mainline, but it seems it's > not even in -next. Were there problems and it was dropped or something? I can't recall that there was any problem with this patch, I assume it felt through by some accident. I've now queued it on modules-next. -- Thanks, Petr
Powered by blists - more mailing lists