git.ipfire.org Git - thirdparty/linux.git/commit

author	Petr Pavlu <petr.pavlu@suse.com>
	Tue, 11 Nov 2025 15:48:32 +0000 (16:48 +0100)
committer	Sami Tolvanen <samitolvanen@google.com>
	Mon, 22 Dec 2025 16:35:54 +0000 (16:35 +0000)
commit	d7afd65b4acc775df872af30948dd7c196587169
tree	f8f55a9bda4310abccff4751ef404ce10c3f32cb	tree
parent	148519a06304af4e6fbb82f20e1a4480e2c1b126	commit \| diff

sign-file: Use only the OpenSSL CMS API for signing

The USE_PKCS7 code in sign-file utilizes PKCS7_sign(), which allows signing
only with SHA-1. Since SHA-1 support for module signing has been removed,
drop the use of the OpenSSL PKCS7 API by the tool in favor of using only
the newer CMS API.

The use of the PKCS7 API is selected by the following:

#if defined(LIBRESSL_VERSION_NUMBER) || \
OPENSSL_VERSION_NUMBER < 0x10000000L || \
defined(OPENSSL_NO_CMS)
#define USE_PKCS7
#endif

Looking at the individual ifdefs:

* LIBRESSL_VERSION_NUMBER: LibreSSL added the CMS API implementation from
  OpenSSL in 3.1.0, making the ifdef no longer relevant. This version was
  released on April 8, 2020.

* OPENSSL_VERSION_NUMBER < 0x10000000L: OpenSSL 1.0.0 was released on March
  29, 2010. Supporting earlier versions should no longer be necessary. The
  file Documentation/process/changes.rst already states that at least
  version 1.0.0 is required to build the kernel.

* OPENSSL_NO_CMS: OpenSSL can be configured with "no-cms" to disable CMS
  support. In this case, sign-file will no longer be usable. The CMS API
  support is now required.

In practice, since distributions now typically sign modules with SHA-2, for
which sign-file already required CMS API support, removing the USE_PKCS7
code shouldn't cause any issues.

Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
[Sami: Used Petr's updated commit message]
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>