From: Prarit Bhargava <[email protected]> kernsec.org recommends using SHA512 [1] for kernel module signing. There isn't any reason not to do this and the benefit is a stronger module hash.
[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings Signed-off-by: Prarit Bhargava <[email protected]> --- redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +- redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 - redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 + redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +- redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +- redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 - 6 files changed, 4 insertions(+), 5 deletions(-) delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 index 29ce3726bd4a..5c25197e538b 100644 --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 +++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 @@ -1 +1 @@ -CONFIG_CRYPTO_SHA512=m +CONFIG_CRYPTO_SHA512=y diff --git a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 b/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 deleted file mode 100644 index 5c25197e538b..000000000000 --- a/redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CRYPTO_SHA512=y diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 new file mode 100644 index 000000000000..63c78568591f --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 @@ -0,0 +1 @@ +# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 index b350aa05ab58..f54169c568b1 100644 --- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 +++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 @@ -1 +1 @@ -CONFIG_MODULE_SIG_SHA256=y +# CONFIG_MODULE_SIG_SHA256 is not set diff --git a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 index 2910d833029c..fe14d3f42285 100644 --- a/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 +++ b/redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 @@ -1 +1 @@ -# CONFIG_MODULE_SIG_SHA512 is not set +CONFIG_MODULE_SIG_SHA512=y diff --git a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 b/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 deleted file mode 100644 index 5c25197e538b..000000000000 --- a/redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_CRYPTO_SHA512=y -- GitLab _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
