Re: module signing: Changing to MODULE_SIG_SHA3_512
On Thu, Nov 9, 2023 at 8:29 AM Josh Boyer wrote: > > On Thu, Nov 9, 2023 at 8:23 AM Prarit Bhargava wrote: > > > > On 11/9/23 08:13, Josh Boyer wrote: > > > On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava wrote: > > >> > > >> On 11/8/23 08:33, Prarit Bhargava wrote: > > >>> Hey everyone, > > >>> > > >>> The current kernel configs generate > > >>> > > >>> # CONFIG_MODULE_SIG_FORCE is not set > > >>> CONFIG_MODULE_SIG_ALL=y > > >>> # CONFIG_MODULE_SIG_SHA256 is not set > > >>> # CONFIG_MODULE_SIG_SHA384 is not set > > >>> CONFIG_MODULE_SIG_SHA512=y > > >>> # CONFIG_MODULE_SIG_SHA3_256 is not set > > >>> # CONFIG_MODULE_SIG_SHA3_384 is not set > > >>> # CONFIG_MODULE_SIG_SHA3_512 is not set > > >>> CONFIG_MODULE_SIG_HASH="sha512" > > >>> > > >>> With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802 > > >>> > > >>> we can strengthen the module signing algorithm to > > >>> CONFIG_MODULE_SIG_SHA3_512. > > >>> > > >>> I'd like to do this before Fedora40, as it will be the basis of > > >>> centos-stream-10 and RHEL10. > > >>> > > >>> Thoughts or concerns? > > >>> > > >>> P. > > >> > > >> I took a closer look at this and there doesn't appear to be an issue > > >> with doing this in the kernel. Build times and boot times seem > > >> consistent before and after the change. > > >> > > >> However, depmod (from kmod) needs an update if we make this change. The > > >> current fedora version of kmod, -31, segfaults in the modules_install > > >> target. I ran the latest upstream version of kmod and AFAICT that works. > > >> > > >> I will wait for kmod to be updated to at least version -32 and then > > >> request that we change the module signing algorithm to SHA3_512, unless > > >> there any objections. > > > > > > The latest kmod in fedora is -30. I was just looking at packaging -31 > > > today. Are the above version numbers typos, or did you get kmod from > > > somewhere else? > > > > > > > Whoops. Yep, typos. Sorry, off by one in my brain. > > OK, thanks. I might look at the commits beyond -31 and see about > adding them if they aren't too much of a departure from the release. https://koji.fedoraproject.org/koji/buildinfo?buildID=2318246 josh ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: module signing: Changing to MODULE_SIG_SHA3_512
On Thu, Nov 9, 2023 at 8:23 AM Prarit Bhargava wrote: > > On 11/9/23 08:13, Josh Boyer wrote: > > On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava wrote: > >> > >> On 11/8/23 08:33, Prarit Bhargava wrote: > >>> Hey everyone, > >>> > >>> The current kernel configs generate > >>> > >>> # CONFIG_MODULE_SIG_FORCE is not set > >>> CONFIG_MODULE_SIG_ALL=y > >>> # CONFIG_MODULE_SIG_SHA256 is not set > >>> # CONFIG_MODULE_SIG_SHA384 is not set > >>> CONFIG_MODULE_SIG_SHA512=y > >>> # CONFIG_MODULE_SIG_SHA3_256 is not set > >>> # CONFIG_MODULE_SIG_SHA3_384 is not set > >>> # CONFIG_MODULE_SIG_SHA3_512 is not set > >>> CONFIG_MODULE_SIG_HASH="sha512" > >>> > >>> With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802 > >>> > >>> we can strengthen the module signing algorithm to > >>> CONFIG_MODULE_SIG_SHA3_512. > >>> > >>> I'd like to do this before Fedora40, as it will be the basis of > >>> centos-stream-10 and RHEL10. > >>> > >>> Thoughts or concerns? > >>> > >>> P. > >> > >> I took a closer look at this and there doesn't appear to be an issue > >> with doing this in the kernel. Build times and boot times seem > >> consistent before and after the change. > >> > >> However, depmod (from kmod) needs an update if we make this change. The > >> current fedora version of kmod, -31, segfaults in the modules_install > >> target. I ran the latest upstream version of kmod and AFAICT that works. > >> > >> I will wait for kmod to be updated to at least version -32 and then > >> request that we change the module signing algorithm to SHA3_512, unless > >> there any objections. > > > > The latest kmod in fedora is -30. I was just looking at packaging -31 > > today. Are the above version numbers typos, or did you get kmod from > > somewhere else? > > > > Whoops. Yep, typos. Sorry, off by one in my brain. OK, thanks. I might look at the commits beyond -31 and see about adding them if they aren't too much of a departure from the release. josh ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: module signing: Changing to MODULE_SIG_SHA3_512
On 11/9/23 08:13, Josh Boyer wrote: On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava wrote: On 11/8/23 08:33, Prarit Bhargava wrote: Hey everyone, The current kernel configs generate # CONFIG_MODULE_SIG_FORCE is not set CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA256 is not set # CONFIG_MODULE_SIG_SHA384 is not set CONFIG_MODULE_SIG_SHA512=y # CONFIG_MODULE_SIG_SHA3_256 is not set # CONFIG_MODULE_SIG_SHA3_384 is not set # CONFIG_MODULE_SIG_SHA3_512 is not set CONFIG_MODULE_SIG_HASH="sha512" With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802 we can strengthen the module signing algorithm to CONFIG_MODULE_SIG_SHA3_512. I'd like to do this before Fedora40, as it will be the basis of centos-stream-10 and RHEL10. Thoughts or concerns? P. I took a closer look at this and there doesn't appear to be an issue with doing this in the kernel. Build times and boot times seem consistent before and after the change. However, depmod (from kmod) needs an update if we make this change. The current fedora version of kmod, -31, segfaults in the modules_install target. I ran the latest upstream version of kmod and AFAICT that works. I will wait for kmod to be updated to at least version -32 and then request that we change the module signing algorithm to SHA3_512, unless there any objections. The latest kmod in fedora is -30. I was just looking at packaging -31 today. Are the above version numbers typos, or did you get kmod from somewhere else? Whoops. Yep, typos. Sorry, off by one in my brain. P. josh ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: module signing: Changing to MODULE_SIG_SHA3_512
On Thu, Nov 9, 2023 at 8:03 AM Prarit Bhargava wrote: > > On 11/8/23 08:33, Prarit Bhargava wrote: > > Hey everyone, > > > > The current kernel configs generate > > > > # CONFIG_MODULE_SIG_FORCE is not set > > CONFIG_MODULE_SIG_ALL=y > > # CONFIG_MODULE_SIG_SHA256 is not set > > # CONFIG_MODULE_SIG_SHA384 is not set > > CONFIG_MODULE_SIG_SHA512=y > > # CONFIG_MODULE_SIG_SHA3_256 is not set > > # CONFIG_MODULE_SIG_SHA3_384 is not set > > # CONFIG_MODULE_SIG_SHA3_512 is not set > > CONFIG_MODULE_SIG_HASH="sha512" > > > > With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802 > > > > we can strengthen the module signing algorithm to > > CONFIG_MODULE_SIG_SHA3_512. > > > > I'd like to do this before Fedora40, as it will be the basis of > > centos-stream-10 and RHEL10. > > > > Thoughts or concerns? > > > > P. > > I took a closer look at this and there doesn't appear to be an issue > with doing this in the kernel. Build times and boot times seem > consistent before and after the change. > > However, depmod (from kmod) needs an update if we make this change. The > current fedora version of kmod, -31, segfaults in the modules_install > target. I ran the latest upstream version of kmod and AFAICT that works. > > I will wait for kmod to be updated to at least version -32 and then > request that we change the module signing algorithm to SHA3_512, unless > there any objections. The latest kmod in fedora is -30. I was just looking at packaging -31 today. Are the above version numbers typos, or did you get kmod from somewhere else? josh ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: module signing: Changing to MODULE_SIG_SHA3_512
On 11/8/23 08:33, Prarit Bhargava wrote: Hey everyone, The current kernel configs generate # CONFIG_MODULE_SIG_FORCE is not set CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA256 is not set # CONFIG_MODULE_SIG_SHA384 is not set CONFIG_MODULE_SIG_SHA512=y # CONFIG_MODULE_SIG_SHA3_256 is not set # CONFIG_MODULE_SIG_SHA3_384 is not set # CONFIG_MODULE_SIG_SHA3_512 is not set CONFIG_MODULE_SIG_HASH="sha512" With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802 we can strengthen the module signing algorithm to CONFIG_MODULE_SIG_SHA3_512. I'd like to do this before Fedora40, as it will be the basis of centos-stream-10 and RHEL10. Thoughts or concerns? P. I took a closer look at this and there doesn't appear to be an issue with doing this in the kernel. Build times and boot times seem consistent before and after the change. However, depmod (from kmod) needs an update if we make this change. The current fedora version of kmod, -31, segfaults in the modules_install target. I ran the latest upstream version of kmod and AFAICT that works. I will wait for kmod to be updated to at least version -32 and then request that we change the module signing algorithm to SHA3_512, unless there any objections. P. ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
module signing: Changing to MODULE_SIG_SHA3_512
Hey everyone, The current kernel configs generate # CONFIG_MODULE_SIG_FORCE is not set CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA256 is not set # CONFIG_MODULE_SIG_SHA384 is not set CONFIG_MODULE_SIG_SHA512=y # CONFIG_MODULE_SIG_SHA3_256 is not set # CONFIG_MODULE_SIG_SHA3_384 is not set # CONFIG_MODULE_SIG_SHA3_512 is not set CONFIG_MODULE_SIG_HASH="sha512" With https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2802 we can strengthen the module signing algorithm to CONFIG_MODULE_SIG_SHA3_512. I'd like to do this before Fedora40, as it will be the basis of centos-stream-10 and RHEL10. Thoughts or concerns? P. ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
