Re: module signing: Changing to MODULE_SIG_SHA3_512

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Nov 9, 2023 at 8:23 AM Prarit Bhargava <prarit@xxxxxxxxxx> wrote:
>
> On 11/9/23 08:13, Josh Boyer wrote:
> > On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava <prarit@xxxxxxxxxx> wrote:
> >>
> >> On 11/8/23 08:33, Prarit Bhargava wrote:
> >>> Hey everyone,
> >>>
> >>> The current kernel configs generate
> >>>
> >>> # CONFIG_MODULE_SIG_FORCE is not set
> >>> CONFIG_MODULE_SIG_ALL=y
> >>> # CONFIG_MODULE_SIG_SHA256 is not set
> >>> # CONFIG_MODULE_SIG_SHA384 is not set
> >>> CONFIG_MODULE_SIG_SHA512=y
> >>> # CONFIG_MODULE_SIG_SHA3_256 is not set
> >>> # CONFIG_MODULE_SIG_SHA3_384 is not set
> >>> # CONFIG_MODULE_SIG_SHA3_512 is not set
> >>> CONFIG_MODULE_SIG_HASH="sha512"
> >>>
> >>> With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802
> >>>
> >>> we can strengthen the module signing algorithm to
> >>> CONFIG_MODULE_SIG_SHA3_512.
> >>>
> >>> I'd like to do this before Fedora40, as it will be the basis of
> >>> centos-stream-10 and RHEL10.
> >>>
> >>> Thoughts or concerns?
> >>>
> >>> P.
> >>
> >> I took a closer look at this and there doesn't appear to be an issue
> >> with doing this in the kernel.  Build times and boot times seem
> >> consistent before and after the change.
> >>
> >> However, depmod (from kmod) needs an update if we make this change.  The
> >> current fedora version of kmod, -31, segfaults in the modules_install
> >> target.  I ran the latest upstream version of kmod and AFAICT that works.
> >>
> >> I will wait for kmod to be updated to at least version -32 and then
> >> request that we change the module signing algorithm to SHA3_512, unless
> >> there any objections.
> >
> > The latest kmod in fedora is -30.  I was just looking at packaging -31
> > today.  Are the above version numbers typos, or did you get kmod from
> > somewhere else?
> >
>
> Whoops.  Yep, typos.  Sorry, off by one in my brain.

OK, thanks.  I might look at the commits beyond -31 and see about
adding them if they aren't too much of a departure from the release.

josh
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux