Skip to content

Commit f3b9354

Browse files
knurdpetrpavlu
knurd
authored and
petrpavlu
committed
module: sign with sha512 instead of sha1 by default
Switch away from using sha1 for module signing by default and use the more modern sha512 instead, which is what among others Arch, Fedora, RHEL, and Ubuntu are currently using for their kernels. Sha1 has not been considered secure against well-funded opponents since 2005[1]; since 2011 the NIST and other organizations furthermore recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora Linux 41+[3], and likely some other current and future distributions reject the creation of sha1 signatures, which leads to a build error of allmodconfig configurations: 80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342: make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1 make[4]: *** Deleting file 'certs/signing_key.pem' make[4]: *** Waiting for unfinished jobs.... make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2 make[2]: *** [.../Makefile:1936: .] Error 2 make[1]: *** [.../Makefile:224: __sub-make] Error 2 make[1]: Leaving directory '...' make: *** [Makefile:224: __sub-make] Error 2 This change makes allmodconfig work again and sets a default that is more appropriate for current and future users, too. Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1] Link: https://csrc.nist.gov/projects/hash-functions [2] Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3] Signed-off-by: Thorsten Leemhuis <[email protected]> Reviewed-by: Sami Tolvanen <[email protected]> Tested-by: kdevops <[email protected]> [0] Link: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 [0] Link: https://lore.kernel.org/r/52ee32c0c92afc4d3263cea1f8a1cdc809728aff.1729088288.git.linux@leemhuis.info Signed-off-by: Petr Pavlu <[email protected]>
1 parent 110b1e0 commit f3b9354

File tree

1 file changed

+1
-0
lines changed

1 file changed

+1
-0
lines changed

kernel/module/Kconfig

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,7 @@ comment "Do not forget to sign required modules with scripts/sign-file"
231231
choice
232232
prompt "Hash algorithm to sign modules"
233233
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
234+
default MODULE_SIG_SHA512
234235
help
235236
This determines which sort of hashing algorithm will be used during
236237
signature generation. This algorithm _must_ be built into the kernel

0 commit comments

Comments
 (0)