On Thu, Nov 9, 2023 at 8:29 AM Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> wrote: > > On Thu, Nov 9, 2023 at 8:23 AM Prarit Bhargava <prarit@xxxxxxxxxx> wrote: > > > > On 11/9/23 08:13, Josh Boyer wrote: > > > On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava <prarit@xxxxxxxxxx> wrote: > > >> > > >> On 11/8/23 08:33, Prarit Bhargava wrote: > > >>> Hey everyone, > > >>> > > >>> The current kernel configs generate > > >>> > > >>> # CONFIG_MODULE_SIG_FORCE is not set > > >>> CONFIG_MODULE_SIG_ALL=y > > >>> # CONFIG_MODULE_SIG_SHA256 is not set > > >>> # CONFIG_MODULE_SIG_SHA384 is not set > > >>> CONFIG_MODULE_SIG_SHA512=y > > >>> # CONFIG_MODULE_SIG_SHA3_256 is not set > > >>> # CONFIG_MODULE_SIG_SHA3_384 is not set > > >>> # CONFIG_MODULE_SIG_SHA3_512 is not set > > >>> CONFIG_MODULE_SIG_HASH="sha512" > > >>> > > >>> With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802 > > >>> > > >>> we can strengthen the module signing algorithm to > > >>> CONFIG_MODULE_SIG_SHA3_512. > > >>> > > >>> I'd like to do this before Fedora40, as it will be the basis of > > >>> centos-stream-10 and RHEL10. > > >>> > > >>> Thoughts or concerns? > > >>> > > >>> P. > > >> > > >> I took a closer look at this and there doesn't appear to be an issue > > >> with doing this in the kernel. Build times and boot times seem > > >> consistent before and after the change. > > >> > > >> However, depmod (from kmod) needs an update if we make this change. The > > >> current fedora version of kmod, -31, segfaults in the modules_install > > >> target. I ran the latest upstream version of kmod and AFAICT that works. > > >> > > >> I will wait for kmod to be updated to at least version -32 and then > > >> request that we change the module signing algorithm to SHA3_512, unless > > >> there any objections. > > > > > > The latest kmod in fedora is -30. I was just looking at packaging -31 > > > today. Are the above version numbers typos, or did you get kmod from > > > somewhere else? > > > > > > > Whoops. Yep, typos. Sorry, off by one in my brain. > > OK, thanks. I might look at the commits beyond -31 and see about > adding them if they aren't too much of a departure from the release. https://koji.fedoraproject.org/koji/buildinfo?buildID=2318246 josh _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
