On Fri, Jun 1, 2018 at 4:21 AM Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > On Thu, 2018-05-31 at 14:06 -0700, Matthew Garrett wrote: > > EVM looks like it SELECTs CONFIG_SHA1, so I /think/ it should be ok > > before that patch? > > According to Junwen, with CONFIG_TRUSTED_KEYS enabled the HMAC and > SHA1 are allocated at __init. The locking problem occurs when > CONFIG_TRUSTED_KEYS is not enabled. His solution would have been to > move the crypto_alloc_shash() in EVM to an __init function. Ok - I think just allowing it to be deferred is preferable, since otherwise we'd have to build in every hash algorithm that could be used for the signatures (which wasn't a problem before the non-sha1 patch). How would you prefer me to send these two? The non-sha1 patch isn't in -next, so I can't add a fixes: for it at this point.
