6.6-stable patches

added patches:
	module-sign-with-sha512-instead-of-sha1-by-default.patch
	series

diff --git a/queue-6.6/module-sign-with-sha512-instead-of-sha1-by-default.patch b/queue-6.6/module-sign-with-sha512-instead-of-sha1-by-default.patch
new file mode 100644 (file)
index 0000000..4286187
--- /dev/null
+++ b/queue-6.6/module-sign-with-sha512-instead-of-sha1-by-default.patch
@@ -0,0 +1,57 @@
+From f3b93547b91ad849b58eb5ab2dd070950ad7beb3 Mon Sep 17 00:00:00 2001
+From: Thorsten Leemhuis <linux@leemhuis.info>
+Date: Wed, 16 Oct 2024 16:18:41 +0200
+Subject: module: sign with sha512 instead of sha1 by default
+
+From: Thorsten Leemhuis <linux@leemhuis.info>
+
+commit f3b93547b91ad849b58eb5ab2dd070950ad7beb3 upstream.
+
+Switch away from using sha1 for module signing by default and use the
+more modern sha512 instead, which is what among others Arch, Fedora,
+RHEL, and Ubuntu are currently using for their kernels.
+
+Sha1 has not been considered secure against well-funded opponents since
+2005[1]; since 2011 the NIST and other organizations furthermore
+recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora
+Linux 41+[3], and likely some other current and future distributions
+reject the creation of sha1 signatures, which leads to a build error of
+allmodconfig configurations:
+
+  80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
+  make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1
+  make[4]: *** Deleting file 'certs/signing_key.pem'
+  make[4]: *** Waiting for unfinished jobs....
+  make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2
+  make[2]: *** [.../Makefile:1936: .] Error 2
+  make[1]: *** [.../Makefile:224: __sub-make] Error 2
+  make[1]: Leaving directory '...'
+  make: *** [Makefile:224: __sub-make] Error 2
+
+This change makes allmodconfig work again and sets a default that is
+more appropriate for current and future users, too.
+
+Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1]
+Link: https://csrc.nist.gov/projects/hash-functions [2]
+Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3]
+Signed-off-by: Thorsten Leemhuis <linux@leemhuis.info>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: kdevops <kdevops@lists.linux.dev> [0]
+Link: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 [0]
+Link: https://lore.kernel.org/r/52ee32c0c92afc4d3263cea1f8a1cdc809728aff.1729088288.git.linux@leemhuis.info
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/module/Kconfig |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/module/Kconfig
++++ b/kernel/module/Kconfig
+@@ -229,6 +229,7 @@ comment "Do not forget to sign required
+ choice
+       prompt "Which hash algorithm should modules be signed with?"
+       depends on MODULE_SIG || IMA_APPRAISE_MODSIG
++      default MODULE_SIG_SHA512
+       help
+         This determines which sort of hashing algorithm will be used during
+         signature generation.  This algorithm _must_ be built into the kernel

diff --git a/queue-6.6/series b/queue-6.6/series
new file mode 100644 (file)
index 0000000..673df00
--- /dev/null
+++ b/queue-6.6/series
@@ -0,0 +1 @@
+module-sign-with-sha512-instead-of-sha1-by-default.patch