Re: module signing: Changing to MODULE_SIG_SHA3_512

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava <prarit@xxxxxxxxxx> wrote:
>
> On 11/8/23 08:33, Prarit Bhargava wrote:
> > Hey everyone,
> >
> > The current kernel configs generate
> >
> > # CONFIG_MODULE_SIG_FORCE is not set
> > CONFIG_MODULE_SIG_ALL=y
> > # CONFIG_MODULE_SIG_SHA256 is not set
> > # CONFIG_MODULE_SIG_SHA384 is not set
> > CONFIG_MODULE_SIG_SHA512=y
> > # CONFIG_MODULE_SIG_SHA3_256 is not set
> > # CONFIG_MODULE_SIG_SHA3_384 is not set
> > # CONFIG_MODULE_SIG_SHA3_512 is not set
> > CONFIG_MODULE_SIG_HASH="sha512"
> >
> > With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802
> >
> > we can strengthen the module signing algorithm to
> > CONFIG_MODULE_SIG_SHA3_512.
> >
> > I'd like to do this before Fedora40, as it will be the basis of
> > centos-stream-10 and RHEL10.
> >
> > Thoughts or concerns?
> >
> > P.
>
> I took a closer look at this and there doesn't appear to be an issue
> with doing this in the kernel.  Build times and boot times seem
> consistent before and after the change.
>
> However, depmod (from kmod) needs an update if we make this change.  The
> current fedora version of kmod, -31, segfaults in the modules_install
> target.  I ran the latest upstream version of kmod and AFAICT that works.
>
> I will wait for kmod to be updated to at least version -32 and then
> request that we change the module signing algorithm to SHA3_512, unless
> there any objections.

The latest kmod in fedora is -30.  I was just looking at packaging -31
today.  Are the above version numbers typos, or did you get kmod from
somewhere else?

josh
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux