On Tue, Jun 16, 2020 at 11:47:20PM -0000, GitLab Bridge on behalf of prarit wrote:
From: Prarit Bhargava <prarit(a)redhat.com>
kernsec.org recommends using SHA512 [1] for kernel module signing. There
isn't any reason not to do this and the benefit is a stronger module
hash.
[1]
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recomme...
Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
---
redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +-
redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 +
redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +-
redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +-
redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 -
6 files changed, 4 insertions(+), 5 deletions(-)
delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
Does arch/s390/configs/debug_defconfig need to be updated as well to
remove CONFIG_MODULE_SIG_SHA256? Based on my interpretation of the
definition of MODULE_SIG_HASH in init/Kconfig, it looks like SHA256
will still be used for that kernel.
Brian
diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
index 29ce3726bd4a..5c25197e538b 100644
--- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
+++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
@@ -1 +1 @@
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
new file mode 100644
index 000000000000..63c78568591f
--- /dev/null
+++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
@@ -0,0 +1 @@
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
index b350aa05ab58..f54169c568b1 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
@@ -1 +1 @@
-CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_SHA256 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
index 2910d833029c..fe14d3f42285 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
@@ -1 +1 @@
-# CONFIG_MODULE_SIG_SHA512 is not set
+CONFIG_MODULE_SIG_SHA512=y
diff --git a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
--