From: Greg Kroah-Hartman Date: Fri, 25 Apr 2025 09:17:40 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.293~97 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=36c30be0d736a794227b6b1660575e8abca76392;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: module-sign-with-sha512-instead-of-sha1-by-default.patch --- diff --git a/queue-5.10/module-sign-with-sha512-instead-of-sha1-by-default.patch b/queue-5.10/module-sign-with-sha512-instead-of-sha1-by-default.patch new file mode 100644 index 0000000000..6e2bd691cc --- /dev/null +++ b/queue-5.10/module-sign-with-sha512-instead-of-sha1-by-default.patch @@ -0,0 +1,57 @@ +From f3b93547b91ad849b58eb5ab2dd070950ad7beb3 Mon Sep 17 00:00:00 2001 +From: Thorsten Leemhuis +Date: Wed, 16 Oct 2024 16:18:41 +0200 +Subject: module: sign with sha512 instead of sha1 by default + +From: Thorsten Leemhuis + +commit f3b93547b91ad849b58eb5ab2dd070950ad7beb3 upstream. + +Switch away from using sha1 for module signing by default and use the +more modern sha512 instead, which is what among others Arch, Fedora, +RHEL, and Ubuntu are currently using for their kernels. + +Sha1 has not been considered secure against well-funded opponents since +2005[1]; since 2011 the NIST and other organizations furthermore +recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora +Linux 41+[3], and likely some other current and future distributions +reject the creation of sha1 signatures, which leads to a build error of +allmodconfig configurations: + + 80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342: + make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1 + make[4]: *** Deleting file 'certs/signing_key.pem' + make[4]: *** Waiting for unfinished jobs.... + make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2 + make[2]: *** [.../Makefile:1936: .] Error 2 + make[1]: *** [.../Makefile:224: __sub-make] Error 2 + make[1]: Leaving directory '...' + make: *** [Makefile:224: __sub-make] Error 2 + +This change makes allmodconfig work again and sets a default that is +more appropriate for current and future users, too. + +Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1] +Link: https://csrc.nist.gov/projects/hash-functions [2] +Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3] +Signed-off-by: Thorsten Leemhuis +Reviewed-by: Sami Tolvanen +Tested-by: kdevops [0] +Link: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 [0] +Link: https://lore.kernel.org/r/52ee32c0c92afc4d3263cea1f8a1cdc809728aff.1729088288.git.linux@leemhuis.info +Signed-off-by: Petr Pavlu +Signed-off-by: Greg Kroah-Hartman +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -2211,6 +2211,7 @@ comment "Do not forget to sign required + choice + prompt "Which hash algorithm should modules be signed with?" + depends on MODULE_SIG ++ default MODULE_SIG_SHA512 + help + This determines which sort of hashing algorithm will be used during + signature generation. This algorithm _must_ be built into the kernel diff --git a/queue-5.10/series b/queue-5.10/series index cbc17e1151..f85612522c 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -134,6 +134,7 @@ virtiofs-add-filesystem-context-source-name-check.patch perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch +module-sign-with-sha512-instead-of-sha1-by-default.patch drm-repaper-fix-integer-overflows-in-repeat-functions.patch drm-amd-pm-powerplay-prevent-division-by-zero.patch drm-amd-pm-powerplay-hwmgr-smu7_thermal-prevent-division-by-zero.patch