On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava <prarit@xxxxxxxxxx> wrote: > > On 11/8/23 08:33, Prarit Bhargava wrote: > > Hey everyone, > > > > The current kernel configs generate > > > > # CONFIG_MODULE_SIG_FORCE is not set > > CONFIG_MODULE_SIG_ALL=y > > # CONFIG_MODULE_SIG_SHA256 is not set > > # CONFIG_MODULE_SIG_SHA384 is not set > > CONFIG_MODULE_SIG_SHA512=y > > # CONFIG_MODULE_SIG_SHA3_256 is not set > > # CONFIG_MODULE_SIG_SHA3_384 is not set > > # CONFIG_MODULE_SIG_SHA3_512 is not set > > CONFIG_MODULE_SIG_HASH="sha512" > > > > With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802 > > > > we can strengthen the module signing algorithm to > > CONFIG_MODULE_SIG_SHA3_512. > > > > I'd like to do this before Fedora40, as it will be the basis of > > centos-stream-10 and RHEL10. > > > > Thoughts or concerns? > > > > P. > > I took a closer look at this and there doesn't appear to be an issue > with doing this in the kernel. Build times and boot times seem > consistent before and after the change. > > However, depmod (from kmod) needs an update if we make this change. The > current fedora version of kmod, -31, segfaults in the modules_install > target. I ran the latest upstream version of kmod and AFAICT that works. > > I will wait for kmod to be updated to at least version -32 and then > request that we change the module signing algorithm to SHA3_512, unless > there any objections. The latest kmod in fedora is -30. I was just looking at packaging -31 today. Are the above version numbers typos, or did you get kmod from somewhere else? josh _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue