From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A43651D63CF; Fri, 25 Apr 2025 09:18:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745572691; cv=none; b=hQMQBTg2oWi0vsZz9e0Ot1jQWvaRTE5HXqlIiXq3iVHxD1Y8dUsmnUbLyuhHPAqybL2dbLMtUCqpsIy+2bwdNuj9vUcputjldF9jylEu+bS+37Q4c94+h8FyMWKyv8Iv6OV+TChBRIiRAvDRxE1+jPDvdYPbf/jqwdUB3S908do= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745572691; c=relaxed/simple; bh=5cIK6/zfoLEYt30H+/aQScPA3kyqUOFGK5S5YH5O/oc=; h=Subject:To:Cc:From:Date:Message-ID:MIME-Version:Content-Type; b=RZEIQV8Bzcdc6okNeucX9+hIzdpd8czHmILaKR9a24yQIMvHuXoSo0KuGaEdIpQDXchumKB4Cwqre28m/5qsFZu5xYucQZrYya0k1SwkN94FvUcLwo4U9mPnJJ/XIA0SgN7wN3COTbWZEXoWfOtULxJvaoI9zyGF76P7ljvDURc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=T5QJwr7m; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="T5QJwr7m" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C7929C4CEE4; Fri, 25 Apr 2025 09:18:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1745572691; bh=5cIK6/zfoLEYt30H+/aQScPA3kyqUOFGK5S5YH5O/oc=; h=Subject:To:Cc:From:Date:From; b=T5QJwr7mk6rtnXBGVCJAHSGVW3Bjjnnh6HdKhSUgkHS31SMnWcnn7rotI5w/CLAgZ tImcYZgtSE9EbxpUzD5WvSSBHClQ+DGtWFm/Qr8IdJgjGHx167hpL7+HwYrlN+PvTJ ZFXMvcoiltVEcX/gNsi03MAdpp1ZzGZIfckBMj/Y= Subject: Patch "module: sign with sha512 instead of sha1 by default" has been added to the 6.1-stable tree To: gregkh@linuxfoundation.org,kdevops@lists.linux.dev,linux@leemhuis.info,petr.pavlu@suse.com,samitolvanen@google.com Cc: From: Date: Fri, 25 Apr 2025 11:18:08 +0200 Message-ID: <2025042508-detached-coral-cf78@gregkh> Precedence: bulk X-Mailing-List: kdevops@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit X-stable: commit X-Patchwork-Hint: ignore This is a note to let you know that I've just added the patch titled module: sign with sha512 instead of sha1 by default to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: module-sign-with-sha512-instead-of-sha1-by-default.patch and it can be found in the queue-6.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >From f3b93547b91ad849b58eb5ab2dd070950ad7beb3 Mon Sep 17 00:00:00 2001 From: Thorsten Leemhuis Date: Wed, 16 Oct 2024 16:18:41 +0200 Subject: module: sign with sha512 instead of sha1 by default From: Thorsten Leemhuis commit f3b93547b91ad849b58eb5ab2dd070950ad7beb3 upstream. Switch away from using sha1 for module signing by default and use the more modern sha512 instead, which is what among others Arch, Fedora, RHEL, and Ubuntu are currently using for their kernels. Sha1 has not been considered secure against well-funded opponents since 2005[1]; since 2011 the NIST and other organizations furthermore recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora Linux 41+[3], and likely some other current and future distributions reject the creation of sha1 signatures, which leads to a build error of allmodconfig configurations: 80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342: make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1 make[4]: *** Deleting file 'certs/signing_key.pem' make[4]: *** Waiting for unfinished jobs.... make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2 make[2]: *** [.../Makefile:1936: .] Error 2 make[1]: *** [.../Makefile:224: __sub-make] Error 2 make[1]: Leaving directory '...' make: *** [Makefile:224: __sub-make] Error 2 This change makes allmodconfig work again and sets a default that is more appropriate for current and future users, too. Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1] Link: https://csrc.nist.gov/projects/hash-functions [2] Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3] Signed-off-by: Thorsten Leemhuis Reviewed-by: Sami Tolvanen Tested-by: kdevops [0] Link: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 [0] Link: https://lore.kernel.org/r/52ee32c0c92afc4d3263cea1f8a1cdc809728aff.1729088288.git.linux@leemhuis.info Signed-off-by: Petr Pavlu Signed-off-by: Greg Kroah-Hartman --- kernel/module/Kconfig | 1 + 1 file changed, 1 insertion(+) --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -131,6 +131,7 @@ comment "Do not forget to sign required choice prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG || IMA_APPRAISE_MODSIG + default MODULE_SIG_SHA512 help This determines which sort of hashing algorithm will be used during signature generation. This algorithm _must_ be built into the kernel Patches currently in stable-queue which might be from linux@leemhuis.info are queue-6.1/module-sign-with-sha512-instead-of-sha1-by-default.patch