Merge tag 'modules-7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/modules...

Pull module updates from Sami Tolvanen:
 "Module signing:

   - Remove SHA-1 support for signing modules.

     SHA-1 is no longer considered secure for signatures due to
     vulnerabilities that can lead to hash collisions. None of the major
     distributions use SHA-1 anymore, and the kernel has defaulted to
     SHA-512 since v6.11.

     Note that loading SHA-1 signed modules is still supported.

   - Update scripts/sign-file to use only the OpenSSL CMS API for
     signing.

     As SHA-1 support is gone, we can drop the legacy PKCS#7 API which
     was limited to SHA-1. This also cleans up support for legacy
     OpenSSL versions.

  Cleanups and fixes:

   - Use system_dfl_wq instead of the per-cpu system_wq following the
     ongoing workqueue API refactoring.

   - Avoid open-coded kvrealloc() in module decompression logic by using
     the standard helper.

   - Improve section annotations by replacing the custom __modinit with
     __init_or_module and removing several unused __INIT*_OR_MODULE
     macros.

   - Fix kernel-doc warnings in include/linux/moduleparam.h.

   - Ensure set_module_sig_enforced is only declared when module signing
     is enabled.

   - Fix gendwarfksyms build failures on 32-bit hosts.

  MAINTAINERS:

   - Update the module subsystem entry to reflect the maintainer
     rotation and update the git repository link"

* tag 'modules-7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux:
  modules: moduleparam.h: fix kernel-doc comments
  module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y
  module/decompress: Avoid open-coded kvrealloc()
  gendwarfksyms: Fix build on 32-bit hosts
  sign-file: Use only the OpenSSL CMS API for signing
  module: Remove SHA-1 support for module signing
  module: replace use of system_wq with system_dfl_wq
  params: Replace __modinit with __init_or_module
  module: Remove unused __INIT*_OR_MODULE macros
  MAINTAINERS: Update module subsystem maintainers and repository

diff --cc MAINTAINERS
Simple merge

diff --cc scripts/sign-file.c
index 78276b15ab23c87950170c5d21d954f0766b3b94,16f2bf2e1e3ce1ab8f193f7bf79c457d716aaf47..73fbefd2e540189072a87a11921fc61148bebbfb
--- 1/scripts/sign-file.c
--- 2/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@@ -314,49 -271,20 +271,39 @@@ int main(int argc, char **argv
                digest_algo = EVP_get_digestbyname(hash_algo);
                ERR(!digest_algo, "EVP_get_digestbyname");
  
- #ifndef USE_PKCS7
- 
 +              unsigned int flags =
 +                      CMS_NOCERTS |
++                      CMS_NOATTR |
 +                      CMS_PARTIAL |
 +                      CMS_BINARY |
 +                      CMS_DETACHED |
 +                      CMS_STREAM  |
 +                      CMS_NOSMIMECAP |
 +#ifdef CMS_NO_SIGNING_TIME
 +                      CMS_NO_SIGNING_TIME |
 +#endif
 +                      use_keyid;
 +
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
 +              if (EVP_PKEY_is_a(private_key, "ML-DSA-44") ||
 +                  EVP_PKEY_is_a(private_key, "ML-DSA-65") ||
 +                  EVP_PKEY_is_a(private_key, "ML-DSA-87")) {
 +                       /* ML-DSA + CMS_NOATTR is not supported in openssl-3.5
 +                        * and before.
 +                        */
-                       use_signed_attrs = 0;
++                      flags &= ~CMS_NOATTR;
 +              }
 +#endif
 +
-               flags |= use_signed_attrs;
- 
                /* Load the signature message from the digest buffer. */
 -              cms = CMS_sign(NULL, NULL, NULL, NULL,
 -                             CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY |
 -                             CMS_DETACHED | CMS_STREAM);
 +              cms = CMS_sign(NULL, NULL, NULL, NULL, flags);
                ERR(!cms, "CMS_sign");
  
 -              ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
 -                                   CMS_NOCERTS | CMS_BINARY |
 -                                   CMS_NOSMIMECAP | CMS_NOATTR |
 -                                   use_keyid),
 +              ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, flags),
                    "CMS_add1_signer");
 -              ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1,
 +              ERR(CMS_final(cms, bm, NULL, flags) != 1,
                    "CMS_final");
  
- #else
-               pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
-                                  PKCS7_NOCERTS | PKCS7_BINARY |
-                                  PKCS7_DETACHED | use_signed_attrs);
-               ERR(!pkcs7, "PKCS7_sign");
- #endif
- 
                if (save_sig) {
                        char *sig_file_name;
                        BIO *b;