Re: [OS-BUILD PATCH] redhat/configs: Use SHA512 for module signing

Brian Masney <bmasney@xxxxxxxxxx> · Wed, 17 Jun 2020 13:10:48 -0400

On Wed, Jun 17, 2020 at 12:59:08PM -0400, Prarit Bhargava wrote:
> On 6/17/20 11:04 AM, Brian Masney wrote:
> > On Tue, Jun 16, 2020 at 11:47:20PM -0000, GitLab Bridge on behalf of prarit wrote:
> >> From: Prarit Bhargava <prarit@xxxxxxxxxx>
> >>
> >> kernsec.org recommends using SHA512 [1] for kernel module signing.  There
> >> isn't any reason not to do this and the benefit is a stronger module
> >> hash.
> >>
> >> [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
> >>
> >> Signed-off-by: Prarit Bhargava <prarit@xxxxxxxxxx>
> >> ---
> >>  redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512                | 2 +-
> >>  redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
> >>  redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512   | 1 +
> >>  redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256         | 2 +-
> >>  redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512         | 2 +-
> >>  redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512             | 1 -
> >>  6 files changed, 4 insertions(+), 5 deletions(-)
> >>  delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
> >>  create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
> >>  delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
> > 
> > Does arch/s390/configs/debug_defconfig need to be updated as well to
> > remove CONFIG_MODULE_SIG_SHA256? Based on my interpretation of the
> > definition of MODULE_SIG_HASH in init/Kconfig, it looks like SHA256
> > will still be used for that kernel.
> 
> Hey bmasney,
> 
> The arch/s390/configs/debug_defconfig file is from upstream and is not used in
> our config generation.  We use the config files under redhat/configs (see
> priority.fedora, priority.rhel, and the 'make dist-configs' target).
> 
> FWIW, after my change for Fedora:
> 
> [prarit@prarit redhat]$ egrep MODULE_SIG_SHA256 configs/*.config
> configs/kernel-5.8.0-aarch64.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-aarch64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-ppc64le.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-ppc64le-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-s390x.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-s390x-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-x86_64.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-x86_64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
> [prarit@prarit redhat]$ egrep MODULE_SIG_SHA512 configs/*.config
> configs/kernel-5.8.0-aarch64.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-aarch64-debug.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-ppc64le.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-ppc64le-debug.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-s390x.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-s390x-debug.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-x86_64.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-x86_64-debug.config:CONFIG_MODULE_SIG_SHA512=y
> 
> and for RHEL:
> 
> [prarit@prarit redhat]$ egrep MODULE_SIG_SHA256 configs/*.config
> configs/kernel-5.8.0-aarch64.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-aarch64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-ppc64le.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-ppc64le-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-s390x.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-s390x-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-x86_64.config:# CONFIG_MODULE_SIG_SHA256 is not set
> configs/kernel-5.8.0-x86_64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
> [prarit@prarit redhat]$ egrep MODULE_SIG_SHA512 configs/*.config
> configs/kernel-5.8.0-aarch64.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-aarch64-debug.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-ppc64le.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-ppc64le-debug.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-s390x.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-s390x-debug.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-x86_64.config:CONFIG_MODULE_SIG_SHA512=y
> configs/kernel-5.8.0-x86_64-debug.config:CONFIG_MODULE_SIG_SHA512=y

Oops, you're right.... I should have looked at that file name a little
closer.

Acked-by: Brian Masney <bmasney@xxxxxxxxxx>
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx