diff options
| author | Dimitri John Ledkov <dimitri.ledkov@canonical.com> | 2023-10-10 22:26:33 +0100 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2023-10-20 13:39:26 +0800 |
| commit | fc3225fd6f1e6ac07a8463e7751ecfa228880c71 (patch) | |
| tree | 9a80464a88b4a173b10c930bd0ec83f6f297237c | |
| parent | c1d760a47163bec1ecd5c82638c8c234fcbd549e (diff) | |
| download | linux-stable-fc3225fd6f1e6ac07a8463e7751ecfa228880c71.tar.gz linux-stable-fc3225fd6f1e6ac07a8463e7751ecfa228880c71.tar.bz2 linux-stable-fc3225fd6f1e6ac07a8463e7751ecfa228880c71.zip | |
module: Do not offer sha224 for built-in module signing
sha224 does not provide enough security against collision attacks
relative to the default keys used for signing (RSA 4k & P-384). Also
sha224 never became popular, as sha256 got widely adopter ahead of
sha224 being introduced.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| -rw-r--r-- | kernel/module/Kconfig | 5 |
1 files changed, 0 insertions, 5 deletions
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index 19a53d5e7736..9d7d45525fc4 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -236,10 +236,6 @@ choice possible to load a signed module containing the algorithm to check the signature on that module. -config MODULE_SIG_SHA224 - bool "Sign modules with SHA-224" - select CRYPTO_SHA256 - config MODULE_SIG_SHA256 bool "Sign modules with SHA-256" select CRYPTO_SHA256 @@ -257,7 +253,6 @@ endchoice config MODULE_SIG_HASH string depends on MODULE_SIG || IMA_APPRAISE_MODSIG - default "sha224" if MODULE_SIG_SHA224 default "sha256" if MODULE_SIG_SHA256 default "sha384" if MODULE_SIG_SHA384 default "sha512" if MODULE_SIG_SHA512 |