From d5310948c413c2a4373ceedb6922c8287986d04a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 25 Apr 2025 11:18:34 +0200 Subject: [PATCH] 6.12-stable patches added patches: module-sign-with-sha512-instead-of-sha1-by-default.patch series --- ...th-sha512-instead-of-sha1-by-default.patch | 57 +++++++++++++++++++ queue-6.12/series | 1 + 2 files changed, 58 insertions(+) create mode 100644 queue-6.12/module-sign-with-sha512-instead-of-sha1-by-default.patch create mode 100644 queue-6.12/series diff --git a/queue-6.12/module-sign-with-sha512-instead-of-sha1-by-default.patch b/queue-6.12/module-sign-with-sha512-instead-of-sha1-by-default.patch new file mode 100644 index 0000000000..74575a8c02 --- /dev/null +++ b/queue-6.12/module-sign-with-sha512-instead-of-sha1-by-default.patch @@ -0,0 +1,57 @@ +From f3b93547b91ad849b58eb5ab2dd070950ad7beb3 Mon Sep 17 00:00:00 2001 +From: Thorsten Leemhuis +Date: Wed, 16 Oct 2024 16:18:41 +0200 +Subject: module: sign with sha512 instead of sha1 by default + +From: Thorsten Leemhuis + +commit f3b93547b91ad849b58eb5ab2dd070950ad7beb3 upstream. + +Switch away from using sha1 for module signing by default and use the +more modern sha512 instead, which is what among others Arch, Fedora, +RHEL, and Ubuntu are currently using for their kernels. + +Sha1 has not been considered secure against well-funded opponents since +2005[1]; since 2011 the NIST and other organizations furthermore +recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora +Linux 41+[3], and likely some other current and future distributions +reject the creation of sha1 signatures, which leads to a build error of +allmodconfig configurations: + + 80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342: + make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1 + make[4]: *** Deleting file 'certs/signing_key.pem' + make[4]: *** Waiting for unfinished jobs.... + make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2 + make[2]: *** [.../Makefile:1936: .] Error 2 + make[1]: *** [.../Makefile:224: __sub-make] Error 2 + make[1]: Leaving directory '...' + make: *** [Makefile:224: __sub-make] Error 2 + +This change makes allmodconfig work again and sets a default that is +more appropriate for current and future users, too. + +Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1] +Link: https://csrc.nist.gov/projects/hash-functions [2] +Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3] +Signed-off-by: Thorsten Leemhuis +Reviewed-by: Sami Tolvanen +Tested-by: kdevops [0] +Link: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 [0] +Link: https://lore.kernel.org/r/52ee32c0c92afc4d3263cea1f8a1cdc809728aff.1729088288.git.linux@leemhuis.info +Signed-off-by: Petr Pavlu +Signed-off-by: Greg Kroah-Hartman +--- + kernel/module/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/module/Kconfig ++++ b/kernel/module/Kconfig +@@ -231,6 +231,7 @@ comment "Do not forget to sign required + choice + prompt "Hash algorithm to sign modules" + depends on MODULE_SIG || IMA_APPRAISE_MODSIG ++ default MODULE_SIG_SHA512 + help + This determines which sort of hashing algorithm will be used during + signature generation. This algorithm _must_ be built into the kernel diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..673df00e1a --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1 @@ +module-sign-with-sha512-instead-of-sha1-by-default.patch -- 2.47.3