On 10.10.24 17:52, Sami Tolvanen wrote: Thx for your feedback! > On Thu, Oct 10, 2024 at 1:57 AM Thorsten Leemhuis <linux@xxxxxxxxxxxxx> wrote: >> On 10.10.24 10:42, Sedat Dilek wrote: >>> On Thu, Oct 10, 2024 at 10:29 AM Sedat Dilek <sedat.dilek@xxxxxxxxx> wrote: >>>> On Thu, Oct 10, 2024 at 10:19 AM Thorsten Leemhuis <linux@xxxxxxxxxxxxx> wrote: >>>>> On 10.10.24 09:00, Thorsten Leemhuis wrote: > >> P.S.: Vegard Nossum mentioned in the fediverse that I could also solve >> the problem the patch is about by adding "default MODULE_SIG_SHA512" to >> the "choice" section; haven't tried that, but that sounds like a better >> solution. Will likely give it a try, unless someone brings up unwanted >> side effects this might cause. > > Yes, that would be a much better way to change the default. Overall, > moving away from SHA-1 seems like a good idea and SHA-512 feels like a > reasonable choice. Luis, do you see any issues with changing the > default here? So, how do I make such a default choice work without breaking the current magic, which looks like this: """ config MODULE_SIG_HASH string depends on MODULE_SIG || IMA_APPRAISE_MODSIG default "sha1" if MODULE_SIG_SHA1 default "sha256" if MODULE_SIG_SHA256 default "sha384" if MODULE_SIG_SHA384 default "sha512" if MODULE_SIG_SHA512 default "sha3-256" if MODULE_SIG_SHA3_256 default "sha3-384" if MODULE_SIG_SHA3_384 default "sha3-512" if MODULE_SIG_SHA3_512 """ Reordering those did not do the trick. And I suspect adding a default "sha512" would break the magic. Would dropping sha1, sha256 and sha384 from the list be a middle ground that could work for everyone? Ciao, Thorsten