]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2d9fa97)
module: sign with sha512 instead of sha1 by default
authorThorsten Leemhuis <linux@leemhuis.info>
Wed, 16 Oct 2024 14:18:41 +0000 (16:18 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 2 May 2025 05:41:03 +0000 (07:41 +0200)
commit f3b93547b91ad849b58eb5ab2dd070950ad7beb3 upstream.

Switch away from using sha1 for module signing by default and use the
more modern sha512 instead, which is what among others Arch, Fedora,
RHEL, and Ubuntu are currently using for their kernels.

Sha1 has not been considered secure against well-funded opponents since
2005[1]; since 2011 the NIST and other organizations furthermore
recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora
Linux 41+[3], and likely some other current and future distributions
reject the creation of sha1 signatures, which leads to a build error of
allmodconfig configurations:

  80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
  make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1
  make[4]: *** Deleting file 'certs/signing_key.pem'
  make[4]: *** Waiting for unfinished jobs....
  make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2
  make[2]: *** [.../Makefile:1936: .] Error 2
  make[1]: *** [.../Makefile:224: __sub-make] Error 2
  make[1]: Leaving directory '...'
  make: *** [Makefile:224: __sub-make] Error 2

This change makes allmodconfig work again and sets a default that is
more appropriate for current and future users, too.

Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
Link: https://csrc.nist.gov/projects/hash-functions
Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer
Signed-off-by: Thorsten Leemhuis <linux@leemhuis.info>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Tested-by: kdevops <kdevops@lists.linux.dev> [0]
Link: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330
Link: https://lore.kernel.org/r/52ee32c0c92afc4d3263cea1f8a1cdc809728aff.1729088288.git.linux@leemhuis.info
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
init/Kconfig patch | blob | blame | history

diff --git a/init/Kconfig b/init/Kconfig
index 9807c66b24bb6b7a4ac6035faf4d0a54f19f3eb9..4e7775279356d9f7f0c04f3855d0e5cac121947c 100644 (file)
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2211,6 +2211,7 @@ comment "Do not forget to sign required modules with scripts/sign-file"
 choice
        prompt "Which hash algorithm should modules be signed with?"
        depends on MODULE_SIG
+       default MODULE_SIG_SHA512
        help
          This determines which sort of hashing algorithm will be used during
          signature generation.  This algorithm _must_ be built into the kernel
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git