On 11/8/23 08:33, Prarit Bhargava wrote:
Hey everyone,
The current kernel configs generate
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
# CONFIG_MODULE_SIG_SHA3_256 is not set
# CONFIG_MODULE_SIG_SHA3_384 is not set
# CONFIG_MODULE_SIG_SHA3_512 is not set
CONFIG_MODULE_SIG_HASH="sha512"
With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802
we can strengthen the module signing algorithm to
CONFIG_MODULE_SIG_SHA3_512.
I'd like to do this before Fedora40, as it will be the basis of
centos-stream-10 and RHEL10.
Thoughts or concerns?
P.
I took a closer look at this and there doesn't appear to be an issue
with doing this in the kernel. Build times and boot times seem
consistent before and after the change.
However, depmod (from kmod) needs an update if we make this change. The
current fedora version of kmod, -31, segfaults in the modules_install
target. I ran the latest upstream version of kmod and AFAICT that works.
I will wait for kmod to be updated to at least version -32 and then
request that we change the module signing algorithm to SHA3_512, unless
there any objections.
P.
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue