On 14.11.2016 00:06, taii...@gmx.com wrote: > Shouldn't we be using sha256 or sha512? I am not a crypto expert but > AFIAK couldn't sha1 collisions could be easily generated with the type > of resources available to someone who would want to attack coreboot?
AFAIK, there is no known attack on SHA-1 yet that could break security in this scenario (the attacker wouldn't only have to find any collision but a collision for a given hash which takes a power of 2 in time). Anyway, there is a patch on review, that makes use of SHA-384 and should make the checksum generation trustworthy: https://review.coreboot.org/#/c/15170/ > > > On 11/06/2016 07:15 PM, Iru Cai wrote: >> buildgcc can verify the SHA1 sum of the tarballs, and the checksum is >> cloned from the git repository via HTTPS or SSH, so I think we don't need >> to worry. Alas, the current checksum is only verified for already downloaded files. Nico -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
