6:47 p.m.
From: Prarit Bhargava <prarit(a)redhat.com>
kernsec.org recommends using SHA512 [1] for kernel module signing. There
isn't any reason not to do this and the benefit is a stronger module
hash.
[1]
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recomme...
Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
---
redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +-
redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 +
redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +-
redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +-
redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 -
6 files changed, 4 insertions(+), 5 deletions(-)
delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
index 29ce3726bd4a..5c25197e538b 100644
--- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
+++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
@@ -1 +1 @@
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
new file mode 100644
index 000000000000..63c78568591f
--- /dev/null
+++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
@@ -0,0 +1 @@
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
index b350aa05ab58..f54169c568b1 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
@@ -1 +1 @@
-CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_SHA256 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
index 2910d833029c..fe14d3f42285 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
@@ -1 +1 @@
-# CONFIG_MODULE_SIG_SHA512 is not set
+CONFIG_MODULE_SIG_SHA512=y
diff --git a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
--
GitLab
10:04 a.m.
On Tue, Jun 16, 2020 at 11:47:20PM -0000, GitLab Bridge on behalf of prarit wrote:
From: Prarit Bhargava <prarit(a)redhat.com>
kernsec.org recommends using SHA512 [1] for kernel module signing. There
isn't any reason not to do this and the benefit is a stronger module
hash.
[1]
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recomme...
Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
---
redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +-
redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 +
redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +-
redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +-
redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 -
6 files changed, 4 insertions(+), 5 deletions(-)
delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
Does arch/s390/configs/debug_defconfig need to be updated as well to
remove CONFIG_MODULE_SIG_SHA256? Based on my interpretation of the
definition of MODULE_SIG_HASH in init/Kconfig, it looks like SHA256
will still be used for that kernel.
Brian
diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
index 29ce3726bd4a..5c25197e538b 100644
--- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
+++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
@@ -1 +1 @@
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
new file mode 100644
index 000000000000..63c78568591f
--- /dev/null
+++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
@@ -0,0 +1 @@
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
index b350aa05ab58..f54169c568b1 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
@@ -1 +1 @@
-CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_SHA256 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
index 2910d833029c..fe14d3f42285 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
@@ -1 +1 @@
-# CONFIG_MODULE_SIG_SHA512 is not set
+CONFIG_MODULE_SIG_SHA512=y
diff --git a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
--
11:59 a.m.
On 6/17/20 11:04 AM, Brian Masney wrote:
On Tue, Jun 16, 2020 at 11:47:20PM -0000, GitLab Bridge on behalf of
prarit wrote:
> From: Prarit Bhargava <prarit(a)redhat.com>
>
> kernsec.org recommends using SHA512 [1] for kernel module signing. There
> isn't any reason not to do this and the benefit is a stronger module
> hash.
>
> [1]
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recomme...
>
> Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
> ---
> redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +-
> redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
> redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 +
> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +-
> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +-
> redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 -
> 6 files changed, 4 insertions(+), 5 deletions(-)
> delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
> create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
> delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
Does arch/s390/configs/debug_defconfig need to be updated as well to
remove CONFIG_MODULE_SIG_SHA256? Based on my interpretation of the
definition of MODULE_SIG_HASH in init/Kconfig, it looks like SHA256
will still be used for that kernel.
Hey bmasney,
The arch/s390/configs/debug_defconfig file is from upstream and is not used in
our config generation. We use the config files under redhat/configs (see
priority.fedora, priority.rhel, and the 'make dist-configs' target).
FWIW, after my change for Fedora:
[prarit@prarit redhat]$ egrep MODULE_SIG_SHA256 configs/*.config
configs/kernel-5.8.0-aarch64.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-aarch64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-ppc64le.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-ppc64le-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-s390x.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-s390x-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-x86_64.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-x86_64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
[prarit@prarit redhat]$ egrep MODULE_SIG_SHA512 configs/*.config
configs/kernel-5.8.0-aarch64.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-aarch64-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-ppc64le.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-ppc64le-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-s390x.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-s390x-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-x86_64.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-x86_64-debug.config:CONFIG_MODULE_SIG_SHA512=y
and for RHEL:
[prarit@prarit redhat]$ egrep MODULE_SIG_SHA256 configs/*.config
configs/kernel-5.8.0-aarch64.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-aarch64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-ppc64le.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-ppc64le-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-s390x.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-s390x-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-x86_64.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-x86_64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
[prarit@prarit redhat]$ egrep MODULE_SIG_SHA512 configs/*.config
configs/kernel-5.8.0-aarch64.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-aarch64-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-ppc64le.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-ppc64le-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-s390x.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-s390x-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-x86_64.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-x86_64-debug.config:CONFIG_MODULE_SIG_SHA512=y
P.
Brian
>
> diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
> index 29ce3726bd4a..5c25197e538b 100644
> --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
> +++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
> @@ -1 +1 @@
> -CONFIG_CRYPTO_SHA512=m
> +CONFIG_CRYPTO_SHA512=y
> diff --git a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
> deleted file mode 100644
> index 5c25197e538b..000000000000
> --- a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
> +++ /dev/null
> @@ -1 +0,0 @@
> -CONFIG_CRYPTO_SHA512=y
> diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
> new file mode 100644
> index 000000000000..63c78568591f
> --- /dev/null
> +++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
> @@ -0,0 +1 @@
> +# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
> diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
> index b350aa05ab58..f54169c568b1 100644
> --- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
> +++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
> @@ -1 +1 @@
> -CONFIG_MODULE_SIG_SHA256=y
> +# CONFIG_MODULE_SIG_SHA256 is not set
> diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
> index 2910d833029c..fe14d3f42285 100644
> --- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
> +++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
> @@ -1 +1 @@
> -# CONFIG_MODULE_SIG_SHA512 is not set
> +CONFIG_MODULE_SIG_SHA512=y
> diff --git a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
> deleted file mode 100644
> index 5c25197e538b..000000000000
> --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
> +++ /dev/null
> @@ -1 +0,0 @@
> -CONFIG_CRYPTO_SHA512=y
> --
12:10 p.m.
On Wed, Jun 17, 2020 at 12:59:08PM -0400, Prarit Bhargava wrote:
On 6/17/20 11:04 AM, Brian Masney wrote:
> On Tue, Jun 16, 2020 at 11:47:20PM -0000, GitLab Bridge on behalf of prarit wrote:
>> From: Prarit Bhargava <prarit(a)redhat.com>
>>
>> kernsec.org recommends using SHA512 [1] for kernel module signing. There
>> isn't any reason not to do this and the benefit is a stronger module
>> hash.
>>
>> [1]
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recomme...
>>
>> Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
>> ---
>> redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +-
>> redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
>> redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 +
>> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +-
>> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +-
>> redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 -
>> 6 files changed, 4 insertions(+), 5 deletions(-)
>> delete mode 100644
redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
>> create mode 100644
redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
>> delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
>
> Does arch/s390/configs/debug_defconfig need to be updated as well to
> remove CONFIG_MODULE_SIG_SHA256? Based on my interpretation of the
> definition of MODULE_SIG_HASH in init/Kconfig, it looks like SHA256
> will still be used for that kernel.
Hey bmasney,
The arch/s390/configs/debug_defconfig file is from upstream and is not used in
our config generation. We use the config files under redhat/configs (see
priority.fedora, priority.rhel, and the 'make dist-configs' target).
FWIW, after my change for Fedora:
[prarit@prarit redhat]$ egrep MODULE_SIG_SHA256 configs/*.config
configs/kernel-5.8.0-aarch64.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-aarch64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-ppc64le.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-ppc64le-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-s390x.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-s390x-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-x86_64.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-x86_64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
[prarit@prarit redhat]$ egrep MODULE_SIG_SHA512 configs/*.config
configs/kernel-5.8.0-aarch64.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-aarch64-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-ppc64le.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-ppc64le-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-s390x.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-s390x-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-x86_64.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-x86_64-debug.config:CONFIG_MODULE_SIG_SHA512=y
and for RHEL:
[prarit@prarit redhat]$ egrep MODULE_SIG_SHA256 configs/*.config
configs/kernel-5.8.0-aarch64.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-aarch64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-ppc64le.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-ppc64le-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-s390x.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-s390x-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-x86_64.config:# CONFIG_MODULE_SIG_SHA256 is not set
configs/kernel-5.8.0-x86_64-debug.config:# CONFIG_MODULE_SIG_SHA256 is not set
[prarit@prarit redhat]$ egrep MODULE_SIG_SHA512 configs/*.config
configs/kernel-5.8.0-aarch64.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-aarch64-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-ppc64le.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-ppc64le-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-s390x.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-s390x-debug.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-x86_64.config:CONFIG_MODULE_SIG_SHA512=y
configs/kernel-5.8.0-x86_64-debug.config:CONFIG_MODULE_SIG_SHA512=y
Oops, you're right.... I should have looked at that file name a little
closer.
Acked-by: Brian Masney <bmasney(a)redhat.com>
11:04 a.m.
On Tue, Jun 16, 2020 at 11:47:20PM -0000, GitLab Bridge on behalf of prarit wrote:
From: Prarit Bhargava <prarit(a)redhat.com>
kernsec.org recommends using SHA512 [1] for kernel module signing. There
isn't any reason not to do this and the benefit is a stronger module
hash.
[1]
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recomme...
Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
---
redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +-
redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 +
redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +-
redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +-
redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 -
6 files changed, 4 insertions(+), 5 deletions(-)
delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
index 29ce3726bd4a..5c25197e538b 100644
--- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
+++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
@@ -1 +1 @@
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
new file mode 100644
index 000000000000..63c78568591f
--- /dev/null
+++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
@@ -0,0 +1 @@
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
index b350aa05ab58..f54169c568b1 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
@@ -1 +1 @@
-CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_SHA256 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
index 2910d833029c..fe14d3f42285 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
@@ -1 +1 @@
-# CONFIG_MODULE_SIG_SHA512 is not set
+CONFIG_MODULE_SIG_SHA512=y
diff --git a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
--
GitLab
Acked-by: Herton R. Krzesinski <herton(a)redhat.com>
--
[]'s
Herton
11:55 a.m.
On Tue, Jun 16, 2020 at 11:47:20PM -0000, GitLab Bridge on behalf of prarit wrote:
From: Prarit Bhargava <prarit(a)redhat.com>
kernsec.org recommends using SHA512 [1] for kernel module signing. There
isn't any reason not to do this and the benefit is a stronger module
hash.
[1]
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recomme...
Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
---
redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +-
redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 +
redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +-
redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +-
redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 -
6 files changed, 4 insertions(+), 5 deletions(-)
delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
index 29ce3726bd4a..5c25197e538b 100644
--- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
+++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
@@ -1 +1 @@
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
Why does ark/generic need this but fedora/generic can be removed?
I had assumed you just moved this to common/generic and removed the fedora
override?
Cheers,
Don
diff --git
a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
new file mode 100644
index 000000000000..63c78568591f
--- /dev/null
+++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
@@ -0,0 +1 @@
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
index b350aa05ab58..f54169c568b1 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
@@ -1 +1 @@
-CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_SHA256 is not set
diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
index 2910d833029c..fe14d3f42285 100644
--- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
+++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
@@ -1 +1 @@
-# CONFIG_MODULE_SIG_SHA512 is not set
+CONFIG_MODULE_SIG_SHA512=y
diff --git a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
deleted file mode 100644
index 5c25197e538b..000000000000
--- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_CRYPTO_SHA512=y
--
GitLab
_______________________________________________
kernel mailing list -- kernel(a)lists.fedoraproject.org
To unsubscribe send an email to kernel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
1:40 p.m.
On 6/18/20 12:55 PM, Don Zickus wrote:
On Tue, Jun 16, 2020 at 11:47:20PM -0000, GitLab Bridge on behalf of
prarit wrote:
> From: Prarit Bhargava <prarit(a)redhat.com>
>
> kernsec.org recommends using SHA512 [1] for kernel module signing. There
> isn't any reason not to do this and the benefit is a stronger module
> hash.
>
> [1]
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recomme...
>
> Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
> ---
> redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +-
> redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 -
> redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 +
> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +-
> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +-
> redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 -
> 6 files changed, 4 insertions(+), 5 deletions(-)
> delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
> create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
> delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
>
> diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
> index 29ce3726bd4a..5c25197e538b 100644
> --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
> +++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
> @@ -1 +1 @@
> -CONFIG_CRYPTO_SHA512=m
> +CONFIG_CRYPTO_SHA512=y
Why does ark/generic need this but fedora/generic can be removed?
I had assumed you just moved this to common/generic and removed the fedora
override?
Hey dzickus, this patch was already applied.
You've raised a good point that is "kinda" verifiable. There should be a
redhat/configs/common/generic/CONFIG_CRYPTO_SHA512 file and there isn't one.
The good news is that selecting CONFIG_MODULE_SIG_SHA512=y results in
CONFIG_CRYPTO_SHA512=y so we're okay for right now. Immediately after this
email I will be submitting a patch to add
redhat/configs/common/generic/CONFIG_CRYPTO_SHA512.
As you know I'm working on a new shinier version of evaluate_configs. I've got
the output working. You can see the problem with CONFIG_MODULE_SIG_SHA512 on
Fedora (the 1 and 2 refer to arch steps, like x86 and x86_64, or arm and armv7hl):
[prarit@prarit configs]$ ./evaluate_configs_new priority.fedora CONFIG_CRYPTO_SHA512
legend g a 1 2 d da
common-x86_64 - - - - - -
common-x86_64-debug - - - - - -
common-i686 - - - - - -
common-i686-debug - - - - - -
common-ppc64le - - - - - -
common-ppc64le-debug - - - - - -
common-s390x - - - - - -
common-s390x-debug - - - - - -
common-aarch64 - - - - - -
common-aarch64-debug - - - - - -
common-armv7hl - - - - - -
common-armv7hl-debug - - - - - -
common-armv7hl-lpae - - - - - -
common-armv7hl-lpae-debug - - - - - -
pending-common-x86_64 - - - - - -
pending-common-x86_64-debug - - - - - -
pending-common-i686 - - - - - -
pending-common-i686-debug - - - - - -
pending-common-ppc64le - - - - - -
pending-common-ppc64le-debug - - - - - -
pending-common-s390x - - - - - -
pending-common-s390x-debug - - - - - -
pending-common-aarch64 - - - - - -
pending-common-aarch64-debug - - - - - -
pending-common-armv7hl - - - - - -
pending-common-armv7hl-debug - - - - - -
pending-common-armv7hl-lpae - - - - - -
pending-common-armv7hl-lpae-debug - - - - - -
fedora-x86_64 - - - - - -
fedora-x86_64-debug - - - - - -
fedora-i686 - - - - - -
fedora-i686-debug - - - - - -
fedora-ppc64le - - - - - -
fedora-ppc64le-debug - - - - - -
fedora-s390x - - - - - -
fedora-s390x-debug - - - - - -
fedora-aarch64 - - - - - -
fedora-aarch64-debug - - - - - -
fedora-armv7hl - - - - - -
fedora-armv7hl-debug - - - - - -
fedora-armv7hl-lpae - - - - - -
fedora-armv7hl-lpae-debug - - - - - -
pending-fedora-x86_64 - - - - - -
pending-fedora-x86_64-debug - - - - - -
pending-fedora-i686 - - - - - -
pending-fedora-i686-debug - - - - - -
pending-fedora-ppc64le - - - - - -
pending-fedora-ppc64le-debug - - - - - -
pending-fedora-s390x - - - - - -
pending-fedora-s390x-debug - - - - - -
pending-fedora-aarch64 - - - - - -
pending-fedora-aarch64-debug - - - - - -
pending-fedora-armv7hl - - - - - -
pending-fedora-armv7hl-debug - - - - - -
pending-fedora-armv7hl-lpae - - - - - -
pending-fedora-armv7hl-lpae-debug - - - - - -
Similarly on ARK you can see that there is a CONFIG_CRYPTO_SHA512 file in the
ark/generic directory:
[prarit@prarit configs]$ ./evaluate_configs_new priority.rhel CONFIG_CRYPTO_SHA512
legend g a 1 d da
common-x86_64 - - - - -
common-x86_64-debug - - - - -
common-ppc64le - - - - -
common-ppc64le-debug - - - - -
common-s390x - - - - -
common-s390x-debug - - - - -
common-s390x-zfcpdump - - - - -
common-aarch64 - - - - -
common-aarch64-debug - - - - -
ark-x86_64 y - - - -
ark-x86_64-debug y - - - -
ark-ppc64le y - - - -
ark-ppc64le-debug y - - - -
ark-s390x y - - - -
ark-s390x-debug y - - - -
ark-s390x-zfcpdump y - - - -
ark-aarch64 y - - - -
ark-aarch64-debug y - - - -
pending-common-x86_64 - - - - -
pending-common-x86_64-debug - - - - -
pending-common-ppc64le - - - - -
pending-common-ppc64le-debug - - - - -
pending-common-s390x - - - - -
pending-common-s390x-debug - - - - -
pending-common-s390x-zfcpdump - - - - -
pending-common-aarch64 - - - - -
pending-common-aarch64-debug - - - - -
P.
1:48 p.m.
From: Justin Forbes on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/469#note_36766...
Jeremy Cline commented:
Prarit Bhargava prarit(a)redhat.com commented via email:
>>
>> kernsec.org recommends using SHA512 [1] for kernel module signing.
There
>> isn't any reason not to do this and the benefit is a
stronger
module
>> hash.
>>
>> [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Proje
ct/Recommended_Settings
>>
>> Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
>> ---
>> redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2
+-
>>
redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1
-
>>
redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1
+
>> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256
| 2
+-
>> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512
| 2
+-
>> redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
| 1
-
>> 6 files changed, 4 insertions(+), 5 deletions(-)
>> delete mode 100644
redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512
>> create mode 100644
redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512
>> delete mode 100644
redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512
>>
>> diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
>> index 29ce3726bd4a..5c25197e538b 100644
>> --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
>> +++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512
>> @@ -1 +1 @@
>> -CONFIG_CRYPTO_SHA512=m
>> +CONFIG_CRYPTO_SHA512=y
>
> Why does ark/generic need this but fedora/generic can be removed?
>
> I had assumed you just moved this to common/generic and removed the
fedora
> override?
>
Hey dzickus, this patch was already applied.
You've raised a good point that is "kinda" verifiable. There should
be a
redhat/configs/common/generic/CONFIG_CRYPTO_SHA512 file and there
isn't one.
The good news is that selecting CONFIG_MODULE_SIG_SHA512=y results in
CONFIG_CRYPTO_SHA512=y so we're okay for right now. Immediately after
this
email I will be submitting a patch to add
redhat/configs/common/generic/CONFIG_CRYPTO_SHA512.
As you know I'm working on a new shinier version of evaluate_configs.
I've
got
the output working. You can see the problem with
CONFIG_MODULE_SIG_SHA512 on
Fedora (the 1 and 2 refer to arch steps, like x86 and x86_64, or arm
and armv7hl):
Perhaps this work can tie into
https://gitlab.com/cki-project/kernel-ark/-/issues/30
1:54 p.m.
From: Prarit Bhargava on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/469#note_36767...
jforbes, yup. #30 is EXACTLY what I'm trying to do. It is taking a
while longer than I thought. #stupidmath
P.
1409
days inactive
1417
days old
kernel@lists.fedoraproject.org
8 comments
7 participants
participants (7)
-
Brian Masney -
Don Zickus -
GitLab Bridge on behalf of Justin Forbes -
GitLab Bridge on behalf of prarit
-
GitLab Bridge on behalf of Prarit Bhargava
-
Herton R. Krzesinski -
Prarit Bhargava