From: Justin Forbes on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/469#note_367667925
> > Jeremy Cline commented: > > Prarit Bhargava [email protected] commented via email: > > >> > >> kernsec.org recommends using SHA512 [1] for kernel module signing. There > >> isn't any reason not to do this and the benefit is a stronger module > >> hash. > >> > >> [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Proje ct/Recommended_Settings > >> > >> Signed-off-by: Prarit Bhargava <[email protected]> > >> --- > >> redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 | 2 +- > >> redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 | 1 - > >> redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 | 1 + > >> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA256 | 2 +- > >> redhat/configs/common/generic/CONFIG_MODULE_SIG_SHA512 | 2 +- > >> redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 | 1 - > >> 6 files changed, 4 insertions(+), 5 deletions(-) > >> delete mode 100644 redhat/configs/ark/generic/s390x/zfcpdump/CONFIG_CRYPTO_SHA512 > >> create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA512 > >> delete mode 100644 redhat/configs/fedora/generic/CONFIG_CRYPTO_SHA512 > >> > >> diff --git a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 > >> index 29ce3726bd4a..5c25197e538b 100644 > >> --- a/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 > >> +++ b/redhat/configs/ark/generic/CONFIG_CRYPTO_SHA512 > >> @@ -1 +1 @@ > >> -CONFIG_CRYPTO_SHA512=m > >> +CONFIG_CRYPTO_SHA512=y > > > > Why does ark/generic need this but fedora/generic can be removed? > > > > I had assumed you just moved this to common/generic and removed the fedora > > override? > > > > Hey dzickus, this patch was already applied. > > You've raised a good point that is "kinda" verifiable. There should be a > redhat/configs/common/generic/CONFIG_CRYPTO_SHA512 file and there isn't one. > > The good news is that selecting CONFIG_MODULE_SIG_SHA512=y results in > CONFIG_CRYPTO_SHA512=y so we're okay for right now. Immediately after this > email I will be submitting a patch to add > redhat/configs/common/generic/CONFIG_CRYPTO_SHA512. > > As you know I'm working on a new shinier version of evaluate_configs. I've got > the output working. You can see the problem with CONFIG_MODULE_SIG_SHA512 on > Fedora (the 1 and 2 refer to arch steps, like x86 and x86_64, or arm and armv7hl): Perhaps this work can tie into https://gitlab.com/cki-project/kernel-ark/-/issues/30 _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
