[RFC PATCH v1] module: sign with sha512 by default to avoid build errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Avoid build errors with allmodconfig on Fedora Linux 41+ by reordering
the Kconfig choices so modules are signed with sha512 by default. That
way sha1 will be avoided, which beforehand was chosen by default on
x86_64 when running allmodconfig -- which on the latest Fedora leads to
the following build error when building the certs/ directory:

  80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
  make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1
  make[4]: *** Deleting file 'certs/signing_key.pem'
  make[4]: *** Waiting for unfinished jobs....
  make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2
  make[2]: *** [.../Makefile:1936: .] Error 2
  make[1]: *** [.../Makefile:224: __sub-make] Error 2
  make[1]: Leaving directory '...'
  make: *** [Makefile:224: __sub-make] Error 2

OpenSSL causes that error, as it now distrusts sha1 signatures by
default on Fedora[1]. This can be worked around locally by switching to
an earlier policy using 'update-crypto-policies --set FEDORA40'.

This change makes things work by default again and will avoid similar
problems on other distributions, as those sooner or later are likely to
apply similar measures; for regular users this likely is a wise move,
too.

Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [1]
Signed-off-by: Thorsten Leemhuis <linux@xxxxxxxxxxxxx>
---

Lo! This is a submission in the style of "I don't know what I'm doing
and this patch is mainly meant to start a discussion to resolve a
problem I ran into". The patch solved the problem for me, but there
might be a better way to make Kconfig use sha512 by default -- ideally
while keeping the menu in an order that makes more sense for humans.

I furthermore chose sha512 without any strong reasons; I first
considered sha256, but then settled on sha512 because Fedora uses it. So
I'm not attached to this. Ciao, Thorsten
---
 kernel/module/Kconfig | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 7c6588148d42d3..3647ff25d49d67 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -238,18 +238,6 @@ choice
 	  possible to load a signed module containing the algorithm to check
 	  the signature on that module.
 
-config MODULE_SIG_SHA1
-	bool "SHA-1"
-	select CRYPTO_SHA1
-
-config MODULE_SIG_SHA256
-	bool "SHA-256"
-	select CRYPTO_SHA256
-
-config MODULE_SIG_SHA384
-	bool "SHA-384"
-	select CRYPTO_SHA512
-
 config MODULE_SIG_SHA512
 	bool "SHA-512"
 	select CRYPTO_SHA512
@@ -266,6 +254,18 @@ config MODULE_SIG_SHA3_512
 	bool "SHA3-512"
 	select CRYPTO_SHA3
 
+config MODULE_SIG_SHA384
+	bool "SHA-384"
+	select CRYPTO_SHA512
+
+config MODULE_SIG_SHA256
+	bool "SHA-256"
+	select CRYPTO_SHA256
+
+config MODULE_SIG_SHA1
+	bool "SHA-1"
+	select CRYPTO_SHA1
+
 endchoice
 
 config MODULE_SIG_HASH

base-commit: d3d1556696c1a993eec54ac585fe5bf677e07474
-- 
2.45.0





[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux