Message ID | 20231010212633.64042-1-dimitri.ledkov@canonical.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | module: Do not offer sha224 for built-in module signing | expand |
On Tue, Oct 10, 2023 at 10:26:33PM +0100, Dimitri John Ledkov wrote: > sha224 does not provide enough security against collision attacks > relative to the default keys used for signing (RSA 4k & P-384). Also > sha224 never became popular, as sha256 got widely adopter ahead of > sha224 being introduced. > > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> > --- > kernel/module/Kconfig | 5 ----- > 1 file changed, 5 deletions(-) Patch applied. Thanks.
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index 19a53d5e77..9d7d45525f 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -236,10 +236,6 @@ choice possible to load a signed module containing the algorithm to check the signature on that module. -config MODULE_SIG_SHA224 - bool "Sign modules with SHA-224" - select CRYPTO_SHA256 - config MODULE_SIG_SHA256 bool "Sign modules with SHA-256" select CRYPTO_SHA256 @@ -257,7 +253,6 @@ endchoice config MODULE_SIG_HASH string depends on MODULE_SIG || IMA_APPRAISE_MODSIG - default "sha224" if MODULE_SIG_SHA224 default "sha256" if MODULE_SIG_SHA256 default "sha384" if MODULE_SIG_SHA384 default "sha512" if MODULE_SIG_SHA512
sha224 does not provide enough security against collision attacks relative to the default keys used for signing (RSA 4k & P-384). Also sha224 never became popular, as sha256 got widely adopter ahead of sha224 being introduced. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> --- kernel/module/Kconfig | 5 ----- 1 file changed, 5 deletions(-)