[OS-BUILD PATCH] redhat/configs: Use SHA512 for module signing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Prarit Bhargava <prarit@xxxxxxxxxx>

kernsec.org recommends using SHA512 [1] for kernel module signing.  There
isn't any reason not to do this and the benefit is a stronger module
hash.

[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Signed-off-by: Prarit Bhargava <prarit@xxxxxxxxxx>
---
 redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512                | 2 +-
 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512   | 1 +
 redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256         | 2 +-
 redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512         | 2 +-
 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512             | 1 -
 6 files changed, 4 insertions(+), 5 deletions(-)
 delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
 create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
 delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512

diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
index 29ce3726bd4a..5c25197e538b 100644
--- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
+++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
@@ -1 +1 @@
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
new file mode 100644
index 000000000000..63c78568591f
--- /dev/null
+++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
@@ -0,0 +1 @@
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
index b350aa05ab58..f54169c568b1 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
@@ -1 +1 @@
-CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_SHA256 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
index 2910d833029c..fe14d3f42285 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
@@ -1 +1 @@
-# CONFIG_MODULE_SIG_SHA512 is not set
+CONFIG_MODULE_SIG_SHA512=y
diff --git a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
-- 
GitLab
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux