From: Justin Forbes on
gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/469#note_36766...
Jeremy Cline commented:
Prarit Bhargava prarit(a)redhat.com commented via email:
>>
>>
kernsec.org recommends using SHA512 [1] for kernel module signing.
There
>> isn't any reason not to do this and the benefit is a
stronger
module
ct/Recommended_Settings
>>
>> Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
>> ---
>> redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2
+-
>>
redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1
-
>>
redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1
+
>> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
| 2
+-
>> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
| 2
+-
>> redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
| 1
-
>> 6 files changed, 4 insertions(+), 5 deletions(-)
>> delete mode 100644
redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
>> create mode 100644
redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
>> delete mode 100644
redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
>>
>> diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
>> index 29ce3726bd4a..5c25197e538b 100644
>> --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
>> +++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
>> @@ -1 +1 @@
>> -CONFIG_CRYPTO_SHA512=m
>> +CONFIG_CRYPTO_SHA512=y
>
> Why does ark/generic need this but fedora/generic can be removed?
>
> I had assumed you just moved this to common/generic and removed the
fedora
> override?
>
Hey dzickus, this patch was already applied.
You've raised a good point that is "kinda" verifiable. There should
be a
redhat/configs/common/generic/CONFIG_CRYPTO_SHA512 file and there
isn't one.
The good news is that selecting CONFIG_MODULE_SIG_SHA512=y results in
CONFIG_CRYPTO_SHA512=y so we're okay for right now. Immediately after
this
email I will be submitting a patch to add
redhat/configs/common/generic/CONFIG_CRYPTO_SHA512.
As you know I'm working on a new shinier version of evaluate_configs.
I've
got
the output working. You can see the problem with
CONFIG_MODULE_SIG_SHA512 on
Fedora (the 1 and 2 refer to arch steps, like x86 and x86_64, or arm
and armv7hl):
Perhaps this work can tie into
https://gitlab.com/cki-project/kernel-ark/-/issues/30