lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <c5e7cf16-4a2b-4fb5-9fe7-a25c6768bf36@leemhuis.info>
Date: Mon, 6 Jan 2025 15:24:37 +0100
From: Thorsten Leemhuis <linux@...mhuis.info>
To: Petr Pavlu <petr.pavlu@...e.com>
Cc: Luis Chamberlain <mcgrof@...nel.org>,
 Sami Tolvanen <samitolvanen@...gle.com>, Daniel Gomez
 <da.gomez@...sung.com>, linux-modules@...r.kernel.org,
 Masahiro Yamada <masahiroy@...nel.org>, linux-kbuild@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] module: sign with sha512 instead of sha1 by default



On 06.01.25 15:05, Petr Pavlu wrote:
> On 1/4/25 10:43, Thorsten Leemhuis wrote:
>> On 20.10.24 00:57, Luis Chamberlain wrote:
>>> On Wed, Oct 16, 2024 at 04:18:41PM +0200, Thorsten Leemhuis wrote:
>>>> Switch away from using sha1 for module signing by default and use the
>>>> more modern sha512 instead, which is what among others Arch, Fedora,
>>>> RHEL, and Ubuntu are currently using for their kernels.
>>>>
>>>> Sha1 has not been considered secure against well-funded opponents since
>>>> 2005[1]; since 2011 the NIST and other organizations furthermore
>>>> recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora
>>>> Linux 41+[3], and likely some other current and future distributions
>>>> reject the creation of sha1 signatures, which leads to a build error of
>>>> allmodconfig configurations:
>>>>
>>>>   80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
>>>>   make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1
>>>>   make[4]: *** Deleting file 'certs/signing_key.pem'
>>>>   make[4]: *** Waiting for unfinished jobs....
>>>>   make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2
>>>>   make[2]: *** [.../Makefile:1936: .] Error 2
>>>>   make[1]: *** [.../Makefile:224: __sub-make] Error 2
>>>>   make[1]: Leaving directory '...'
>>>>   make: *** [Makefile:224: __sub-make] Error 2
>>>>
>>>> This change makes allmodconfig work again and sets a default that is
>>>> more appropriate for current and future users, too.
>>>>
>>>> Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1]
>>>> Link: https://csrc.nist.gov/projects/hash-functions [2]
>>>> Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3]
>>>> Signed-off-by: Thorsten Leemhuis <linux@...mhuis.info>
>>>
>>> Thanks!
>>>
>>> Tested-by: kdevops <kdevops@...ts.linux.dev> [0]
>>> Links: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 # [0]
>>>
>>> Applied and pushed!
>>
>> Lo! Just wandering:
             ^

Seems it was "let's start the year with a stupid typo in a public
message" time... :-D

>> what happened to that patch? That reply made me
>> assume that the patch was heading towards mainline, but it seems it's
>> not even in -next. Were there problems and it was dropped or something?
> 
> I can't recall that there was any problem with this patch, I assume it
> felt through by some accident. I've now queued it on modules-next.

Great, thx!

Ciao, Thorsten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ