| Message ID | 20231010212633.64042-1-dimitri.ledkov@canonical.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp145647vqb;
Tue, 10 Oct 2023 14:27:00 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IFyrp0Go32p/maOXWu4wzqdCO2Uv3vB7W8r2jeSnVZLrr3JtkMCGrBler/ALeTy/h5DmOT5
X-Received: by 2002:a05:6a20:8f01:b0:163:d382:ba99 with SMTP id
b1-20020a056a208f0100b00163d382ba99mr23561694pzk.5.1696973220652;
Tue, 10 Oct 2023 14:27:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696973220; cv=none;
d=google.com; s=arc-20160816;
b=EizJWjKpEJzwpbQyW+5ANj9gWySjAgEk6XQxGUXis75wrKv0reVPjhxZux+po5O5Wn
aDuYdqJslmhuIM3S2Uq8ONBrvyqu9CPcvnS+FJykWyNkusS4Ol7NZx96qtx6x/b25hw4
VMskR+KgYBhWw+aL3Sf86OQ6Z6yWbzTya93VueFrJzx4eTe/4NcKYfbY7wAIeiaSm8s6
cFZfXnYkBshJztPT+xgmXKirj39VEYnC0MNTS5Vh6mRxJiqQn0kojt29VctvROVXJDWz
WpGiXcbXwC6mpWtr3DbIFIm01Rm8vRQf8Et8/mWQ/VV5p/7FqrpYCvxx6H/g58r9JgM2
Ik/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=bbJL2SOs8ojKA5eoIkTwtjiwN0Y17d4pCBALcurYDbM=;
fh=ZOARcfLxNKj96ci7z8HVJFsiSV6PYmHeM/LcG4IANQg=;
b=ednDpxwaWKXiQXYnFu7dHeoj7kTo0+YlYBfirxw1yeYkr4EgpXVaQ6PKNzMLdbFdkA
/o8CAmx1+492cc8XE3nG9zTtjQcKQsn2EwpmNfJWp1M6es4YuVTvV5RWzhbEW7dK/Oc8
pKBvlpT2BRWv3nkwUysgZ3zMTiCAf4fA29Kruj/r8q8+rxuON930z+anzlzB8vzV3atp
aLROJD+zUl/cgpkQb67SLyttdVoUOAeX1JUchAWYhwqjeqOqGCjnEFHJp2lNNTrEfS+5
oEC/U00tIPMDVIrSumdbC4NW+DPClD72BLPDOOXawivJBw85gUDBr5IBmBqmnroR4WkX
LDOQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@canonical.com header.s=20210705 header.b=MqO0pWN2;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
by mx.google.com with ESMTPS id
l63-20020a639142000000b0055b731aa9adsi10458718pge.562.2023.10.10.14.27.00
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 10 Oct 2023 14:27:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@canonical.com header.s=20210705 header.b=MqO0pWN2;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by snail.vger.email (Postfix) with ESMTP id F2DCF801C1B4;
Tue, 10 Oct 2023 14:26:59 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231749AbjJJV0z (ORCPT <rfc822;rua109.linux@gmail.com>
+ 19 others); Tue, 10 Oct 2023 17:26:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33184 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230094AbjJJV0y (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 10 Oct 2023 17:26:54 -0400
Received: from smtp-relay-internal-0.canonical.com
(smtp-relay-internal-0.canonical.com [185.125.188.122])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B713F94
for <linux-kernel@vger.kernel.org>;
Tue, 10 Oct 2023 14:26:52 -0700 (PDT)
Received: from mail-pl1-f200.google.com (mail-pl1-f200.google.com
[209.85.214.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256)
(No client certificate requested)
by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id
010953F148
for <linux-kernel@vger.kernel.org>;
Tue, 10 Oct 2023 21:26:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
s=20210705; t=1696973210;
bh=bbJL2SOs8ojKA5eoIkTwtjiwN0Y17d4pCBALcurYDbM=;
h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
b=MqO0pWN2TbYSY5U85a/qqr7W9FHeFerpMOrIppwBoSQZWKVY5lSV/QTXIJXKSFLfi
AtptO05qrtGRZaYoX1opeERVPS3SEDu4elaYSH9LnR8NP7Vh1IiDGFAqF+13POkPE2
6gMy+1NeOiqNY0m3HTCWANLpn8CdSrtW7nfNKmeJZDFvSp0dZbBmPt0iRn/l0MqTYW
Jq7AdL20fY9LEkxjLMmxHb/8CPQZNAr2N+HH3TibQp/vNxkLlz/4+ETBO4wlgI7/Rm
6K5BB96R+a1OPZbDqpN5sK8ynYonnRDMxTFmUHKblc8woYa2pe5dfGzlEwK2L9su2/
Psza+nGlKowFw==
Received: by mail-pl1-f200.google.com with SMTP id
d9443c01a7336-1c9c943c94aso2692945ad.3
for <linux-kernel@vger.kernel.org>;
Tue, 10 Oct 2023 14:26:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1696973208; x=1697578008;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=bbJL2SOs8ojKA5eoIkTwtjiwN0Y17d4pCBALcurYDbM=;
b=mQIx2Nk80HIRYfQydh51NnfUmF1RGNl09LL48u7bCw46bN6i++vubvL91E4WJ+mW0D
dP5ZRgkPaKefBsr3cUyxZq5tKx41xdDMo6b+lGEyQhkgUIx58m+rtuDx5+60jRuwuD06
ux+l66Oe8WGFmGrqZ1cabtDrSQ55DvjUCoo048UI77XwebhD/P5+IIK2JdWutdagBgHz
ruURtDnwa27Y5UMsCd1w3gJRir0tlykiWuSh0WVaMsuwqAncbnE1dEwIjlIq2+0RVoZ4
Ss8hyIigt5z2656YKNKT5j8sJyGgpKNvGKFLCV/1Pm8oQWku8P6olOjOLgDv05ssIZiw
g6Lg==
X-Gm-Message-State: AOJu0YwoyN2eFec1CXLcSDSVm+MgqYVLQMBmp+xAvLbZPRM7ZfLTnnVK
X6IArs38wc4aMge8sclrHVNVt/8tzr3nHdeVhccuGp1cgBNVUQADffaAyvp5Pbhh3+0wgEZuuWV
CBcO13LpetIQr/Dxr5eQdaOepk+yG1GEqSnvTiXLdZA==
X-Received: by 2002:a17:902:f546:b0:1bb:e74b:39ff with SMTP id
h6-20020a170902f54600b001bbe74b39ffmr20923277plf.0.1696973207795;
Tue, 10 Oct 2023 14:26:47 -0700 (PDT)
X-Received: by 2002:a17:902:f546:b0:1bb:e74b:39ff with SMTP id
h6-20020a170902f54600b001bbe74b39ffmr20923258plf.0.1696973207428;
Tue, 10 Oct 2023 14:26:47 -0700 (PDT)
Received: from localhost ([2001:67c:1560:8007::aac:c15c])
by smtp.gmail.com with ESMTPSA id
e4-20020a170902d38400b001bb9bc8d232sm12287028pld.61.2023.10.10.14.26.45
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 10 Oct 2023 14:26:47 -0700 (PDT)
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
To: Luis Chamberlain <mcgrof@kernel.org>
Cc: linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au,
linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] module: Do not offer sha224 for built-in module signing
Date: Tue, 10 Oct 2023 22:26:33 +0100
Message-Id: <20231010212633.64042-1-dimitri.ledkov@canonical.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
Tue, 10 Oct 2023 14:27:00 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1779405391572385389
X-GMAIL-MSGID: 1779405391572385389
|
| Series |
module: Do not offer sha224 for built-in module signing
|
|
Commit Message
Dimitri John Ledkov
Oct. 10, 2023, 9:26 p.m. UTC
sha224 does not provide enough security against collision attacks
relative to the default keys used for signing (RSA 4k & P-384). Also
sha224 never became popular, as sha256 got widely adopter ahead of
sha224 being introduced.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---
kernel/module/Kconfig | 5 -----
1 file changed, 5 deletions(-)
Comments
On Tue, Oct 10, 2023 at 10:26:33PM +0100, Dimitri John Ledkov wrote: > sha224 does not provide enough security against collision attacks > relative to the default keys used for signing (RSA 4k & P-384). Also > sha224 never became popular, as sha256 got widely adopter ahead of > sha224 being introduced. > > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> > --- > kernel/module/Kconfig | 5 ----- > 1 file changed, 5 deletions(-) Patch applied. Thanks.
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index 19a53d5e77..9d7d45525f 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -236,10 +236,6 @@ choice possible to load a signed module containing the algorithm to check the signature on that module. -config MODULE_SIG_SHA224 - bool "Sign modules with SHA-224" - select CRYPTO_SHA256 - config MODULE_SIG_SHA256 bool "Sign modules with SHA-256" select CRYPTO_SHA256 @@ -257,7 +253,6 @@ endchoice config MODULE_SIG_HASH string depends on MODULE_SIG || IMA_APPRAISE_MODSIG - default "sha224" if MODULE_SIG_SHA224 default "sha256" if MODULE_SIG_SHA256 default "sha384" if MODULE_SIG_SHA384 default "sha512" if MODULE_SIG_SHA512