On 6/18/20 12:55 PM, Don Zickus wrote: > On Tue, Jun 16, 2020 at 11:47:20PM -0000, GitLab Bridge on behalf of prarit wrote: >> From: Prarit Bhargava <prarit@xxxxxxxxxx> >> >> kernsec.org recommends using SHA512 [1] for kernel module signing. There >> isn't any reason not to do this and the benefit is a stronger module >> hash. >> >> [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings >> >> Signed-off-by: Prarit Bhargava <prarit@xxxxxxxxxx> >> --- >> redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +- >> redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 - >> redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 + >> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +- >> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +- >> redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 - >> 6 files changed, 4 insertions(+), 5 deletions(-) >> delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 >> create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 >> delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 >> >> diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 >> index 29ce3726bd4a..5c25197e538b 100644 >> --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 >> +++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 >> @@ -1 +1 @@ >> -CONFIG_CRYPTO_SHA512=m >> +CONFIG_CRYPTO_SHA512=y > > Why does ark/generic need this but fedora/generic can be removed? > > I had assumed you just moved this to common/generic and removed the fedora > override? > Hey dzickus, this patch was already applied. You've raised a good point that is "kinda" verifiable. There should be a redhat/configs/common/generic/CONFIG_CRYPTO_SHA512 file and there isn't one. The good news is that selecting CONFIG_MODULE_SIG_SHA512=y results in CONFIG_CRYPTO_SHA512=y so we're okay for right now. Immediately after this email I will be submitting a patch to add redhat/configs/common/generic/CONFIG_CRYPTO_SHA512. As you know I'm working on a new shinier version of evaluate_configs. I've got the output working. You can see the problem with CONFIG_MODULE_SIG_SHA512 on Fedora (the 1 and 2 refer to arch steps, like x86 and x86_64, or arm and armv7hl): [prarit@prarit configs]$ ./evaluate_configs_new priority.fedora CONFIG_CRYPTO_SHA512 legend g a 1 2 d da common-x86_64 - - - - - - common-x86_64-debug - - - - - - common-i686 - - - - - - common-i686-debug - - - - - - common-ppc64le - - - - - - common-ppc64le-debug - - - - - - common-s390x - - - - - - common-s390x-debug - - - - - - common-aarch64 - - - - - - common-aarch64-debug - - - - - - common-armv7hl - - - - - - common-armv7hl-debug - - - - - - common-armv7hl-lpae - - - - - - common-armv7hl-lpae-debug - - - - - - pending-common-x86_64 - - - - - - pending-common-x86_64-debug - - - - - - pending-common-i686 - - - - - - pending-common-i686-debug - - - - - - pending-common-ppc64le - - - - - - pending-common-ppc64le-debug - - - - - - pending-common-s390x - - - - - - pending-common-s390x-debug - - - - - - pending-common-aarch64 - - - - - - pending-common-aarch64-debug - - - - - - pending-common-armv7hl - - - - - - pending-common-armv7hl-debug - - - - - - pending-common-armv7hl-lpae - - - - - - pending-common-armv7hl-lpae-debug - - - - - - fedora-x86_64 - - - - - - fedora-x86_64-debug - - - - - - fedora-i686 - - - - - - fedora-i686-debug - - - - - - fedora-ppc64le - - - - - - fedora-ppc64le-debug - - - - - - fedora-s390x - - - - - - fedora-s390x-debug - - - - - - fedora-aarch64 - - - - - - fedora-aarch64-debug - - - - - - fedora-armv7hl - - - - - - fedora-armv7hl-debug - - - - - - fedora-armv7hl-lpae - - - - - - fedora-armv7hl-lpae-debug - - - - - - pending-fedora-x86_64 - - - - - - pending-fedora-x86_64-debug - - - - - - pending-fedora-i686 - - - - - - pending-fedora-i686-debug - - - - - - pending-fedora-ppc64le - - - - - - pending-fedora-ppc64le-debug - - - - - - pending-fedora-s390x - - - - - - pending-fedora-s390x-debug - - - - - - pending-fedora-aarch64 - - - - - - pending-fedora-aarch64-debug - - - - - - pending-fedora-armv7hl - - - - - - pending-fedora-armv7hl-debug - - - - - - pending-fedora-armv7hl-lpae - - - - - - pending-fedora-armv7hl-lpae-debug - - - - - - Similarly on ARK you can see that there is a CONFIG_CRYPTO_SHA512 file in the ark/generic directory: [prarit@prarit configs]$ ./evaluate_configs_new priority.rhel CONFIG_CRYPTO_SHA512 legend g a 1 d da common-x86_64 - - - - - common-x86_64-debug - - - - - common-ppc64le - - - - - common-ppc64le-debug - - - - - common-s390x - - - - - common-s390x-debug - - - - - common-s390x-zfcpdump - - - - - common-aarch64 - - - - - common-aarch64-debug - - - - - ark-x86_64 y - - - - ark-x86_64-debug y - - - - ark-ppc64le y - - - - ark-ppc64le-debug y - - - - ark-s390x y - - - - ark-s390x-debug y - - - - ark-s390x-zfcpdump y - - - - ark-aarch64 y - - - - ark-aarch64-debug y - - - - pending-common-x86_64 - - - - - pending-common-x86_64-debug - - - - - pending-common-ppc64le - - - - - pending-common-ppc64le-debug - - - - - pending-common-s390x - - - - - pending-common-s390x-debug - - - - - pending-common-s390x-zfcpdump - - - - - pending-common-aarch64 - - - - - pending-common-aarch64-debug - - - - - P. _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
