Avoid build errors with allmodconfig on Fedora Linux 41+ by reordering the Kconfig choices so modules are signed with sha512 by default. That way sha1 will be avoided, which beforehand was chosen by default on x86_64 when running allmodconfig -- which on the latest Fedora leads to the following build error when building the certs/ directory: 80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342: make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1 make[4]: *** Deleting file 'certs/signing_key.pem' make[4]: *** Waiting for unfinished jobs.... make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2 make[2]: *** [.../Makefile:1936: .] Error 2 make[1]: *** [.../Makefile:224: __sub-make] Error 2 make[1]: Leaving directory '...' make: *** [Makefile:224: __sub-make] Error 2 OpenSSL causes that error, as it now distrusts sha1 signatures by default on Fedora[1]. This can be worked around locally by switching to an earlier policy using 'update-crypto-policies --set FEDORA40'. This change makes things work by default again and will avoid similar problems on other distributions, as those sooner or later are likely to apply similar measures; for regular users this likely is a wise move, too. Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [1] Signed-off-by: Thorsten Leemhuis <linux@xxxxxxxxxxxxx> --- Lo! This is a submission in the style of "I don't know what I'm doing and this patch is mainly meant to start a discussion to resolve a problem I ran into". The patch solved the problem for me, but there might be a better way to make Kconfig use sha512 by default -- ideally while keeping the menu in an order that makes more sense for humans. I furthermore chose sha512 without any strong reasons; I first considered sha256, but then settled on sha512 because Fedora uses it. So I'm not attached to this. Ciao, Thorsten --- kernel/module/Kconfig | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index 7c6588148d42d3..3647ff25d49d67 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -238,18 +238,6 @@ choice possible to load a signed module containing the algorithm to check the signature on that module. -config MODULE_SIG_SHA1 - bool "SHA-1" - select CRYPTO_SHA1 - -config MODULE_SIG_SHA256 - bool "SHA-256" - select CRYPTO_SHA256 - -config MODULE_SIG_SHA384 - bool "SHA-384" - select CRYPTO_SHA512 - config MODULE_SIG_SHA512 bool "SHA-512" select CRYPTO_SHA512 @@ -266,6 +254,18 @@ config MODULE_SIG_SHA3_512 bool "SHA3-512" select CRYPTO_SHA3 +config MODULE_SIG_SHA384 + bool "SHA-384" + select CRYPTO_SHA512 + +config MODULE_SIG_SHA256 + bool "SHA-256" + select CRYPTO_SHA256 + +config MODULE_SIG_SHA1 + bool "SHA-1" + select CRYPTO_SHA1 + endchoice config MODULE_SIG_HASH base-commit: d3d1556696c1a993eec54ac585fe5bf677e07474 -- 2.45.0
