On 6/18/20 12:55 PM, Don Zickus wrote:
On Tue, Jun 16, 2020 at 11:47:20PM -0000, GitLab Bridge on behalf of
prarit wrote:
> From: Prarit Bhargava <prarit(a)redhat.com>
>
>
kernsec.org recommends using SHA512 [1] for kernel module signing. There
> isn't any reason not to do this and the benefit is a stronger module
> hash.
>
> [1]
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recomme...
>
> Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
> ---
> redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +-
> redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
> redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 +
> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +-
> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +-
> redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 -
> 6 files changed, 4 insertions(+), 5 deletions(-)
> delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
> create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
> delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
>
> diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
> index 29ce3726bd4a..5c25197e538b 100644
> --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
> +++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
> @@ -1 +1 @@
> -CONFIG_CRYPTO_SHA512=m
> +CONFIG_CRYPTO_SHA512=y
Why does ark/generic need this but fedora/generic can be removed?
I had assumed you just moved this to common/generic and removed the fedora
override?
Hey dzickus, this patch was already applied.
You've raised a good point that is "kinda" verifiable. There should be a
redhat/configs/common/generic/CONFIG_CRYPTO_SHA512 file and there isn't one.
The good news is that selecting CONFIG_MODULE_SIG_SHA512=y results in
CONFIG_CRYPTO_SHA512=y so we're okay for right now. Immediately after this
email I will be submitting a patch to add
redhat/configs/common/generic/CONFIG_CRYPTO_SHA512.
As you know I'm working on a new shinier version of evaluate_configs. I've got
the output working. You can see the problem with CONFIG_MODULE_SIG_SHA512 on
Fedora (the 1 and 2 refer to arch steps, like x86 and x86_64, or arm and armv7hl):
[prarit@prarit configs]$ ./evaluate_configs_new priority.fedora CONFIG_CRYPTO_SHA512
legend g a 1 2 d da
common-x86_64 - - - - - -
common-x86_64-debug - - - - - -
common-i686 - - - - - -
common-i686-debug - - - - - -
common-ppc64le - - - - - -
common-ppc64le-debug - - - - - -
common-s390x - - - - - -
common-s390x-debug - - - - - -
common-aarch64 - - - - - -
common-aarch64-debug - - - - - -
common-armv7hl - - - - - -
common-armv7hl-debug - - - - - -
common-armv7hl-lpae - - - - - -
common-armv7hl-lpae-debug - - - - - -
pending-common-x86_64 - - - - - -
pending-common-x86_64-debug - - - - - -
pending-common-i686 - - - - - -
pending-common-i686-debug - - - - - -
pending-common-ppc64le - - - - - -
pending-common-ppc64le-debug - - - - - -
pending-common-s390x - - - - - -
pending-common-s390x-debug - - - - - -
pending-common-aarch64 - - - - - -
pending-common-aarch64-debug - - - - - -
pending-common-armv7hl - - - - - -
pending-common-armv7hl-debug - - - - - -
pending-common-armv7hl-lpae - - - - - -
pending-common-armv7hl-lpae-debug - - - - - -
fedora-x86_64 - - - - - -
fedora-x86_64-debug - - - - - -
fedora-i686 - - - - - -
fedora-i686-debug - - - - - -
fedora-ppc64le - - - - - -
fedora-ppc64le-debug - - - - - -
fedora-s390x - - - - - -
fedora-s390x-debug - - - - - -
fedora-aarch64 - - - - - -
fedora-aarch64-debug - - - - - -
fedora-armv7hl - - - - - -
fedora-armv7hl-debug - - - - - -
fedora-armv7hl-lpae - - - - - -
fedora-armv7hl-lpae-debug - - - - - -
pending-fedora-x86_64 - - - - - -
pending-fedora-x86_64-debug - - - - - -
pending-fedora-i686 - - - - - -
pending-fedora-i686-debug - - - - - -
pending-fedora-ppc64le - - - - - -
pending-fedora-ppc64le-debug - - - - - -
pending-fedora-s390x - - - - - -
pending-fedora-s390x-debug - - - - - -
pending-fedora-aarch64 - - - - - -
pending-fedora-aarch64-debug - - - - - -
pending-fedora-armv7hl - - - - - -
pending-fedora-armv7hl-debug - - - - - -
pending-fedora-armv7hl-lpae - - - - - -
pending-fedora-armv7hl-lpae-debug - - - - - -
Similarly on ARK you can see that there is a CONFIG_CRYPTO_SHA512 file in the
ark/generic directory:
[prarit@prarit configs]$ ./evaluate_configs_new priority.rhel CONFIG_CRYPTO_SHA512
legend g a 1 d da
common-x86_64 - - - - -
common-x86_64-debug - - - - -
common-ppc64le - - - - -
common-ppc64le-debug - - - - -
common-s390x - - - - -
common-s390x-debug - - - - -
common-s390x-zfcpdump - - - - -
common-aarch64 - - - - -
common-aarch64-debug - - - - -
ark-x86_64 y - - - -
ark-x86_64-debug y - - - -
ark-ppc64le y - - - -
ark-ppc64le-debug y - - - -
ark-s390x y - - - -
ark-s390x-debug y - - - -
ark-s390x-zfcpdump y - - - -
ark-aarch64 y - - - -
ark-aarch64-debug y - - - -
pending-common-x86_64 - - - - -
pending-common-x86_64-debug - - - - -
pending-common-ppc64le - - - - -
pending-common-ppc64le-debug - - - - -
pending-common-s390x - - - - -
pending-common-s390x-debug - - - - -
pending-common-s390x-zfcpdump - - - - -
pending-common-aarch64 - - - - -
pending-common-aarch64-debug - - - - -
P.