summaryrefslogtreecommitdiff
path: root/kernel
diff options
context:
space:
mode:
authorDimitri John Ledkov <dimitri.ledkov@canonical.com>2023-10-10 22:22:38 +0100
committerHerbert Xu <herbert@gondor.apana.org.au>2023-10-20 13:39:26 +0800
commit16ab7cb5825fc3425c16ad2c6e53d827f382d7c6 (patch)
tree8cf4c325cbdf68f4d256c2ed5c6f4bc7d7d7bc93 /kernel
parentc35b581e5197cced51047beeab0d3ccbfe948764 (diff)
crypto: pkcs7 - remove sha1 support
Removes support for sha1 signed kernel modules, importing sha1 signed x.509 certificates. rsa-pkcs1pad keeps sha1 padding support, which seems to be used by virtio driver. sha1 remains available as there are many drivers and subsystems using it. Note only hmac(sha1) with secret keys remains cryptographically secure. In the kernel there are filesystems, IMA, tpm/pcr that appear to be using sha1. Maybe they can all start to be slowly upgraded to something else i.e. blake3, ParallelHash, SHAKE256 as needed. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/module/Kconfig5
1 files changed, 0 insertions, 5 deletions
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 33a2e991f608..19a53d5e7736 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -236,10 +236,6 @@ choice
possible to load a signed module containing the algorithm to check
the signature on that module.
-config MODULE_SIG_SHA1
- bool "Sign modules with SHA-1"
- select CRYPTO_SHA1
-
config MODULE_SIG_SHA224
bool "Sign modules with SHA-224"
select CRYPTO_SHA256
@@ -261,7 +257,6 @@ endchoice
config MODULE_SIG_HASH
string
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
- default "sha1" if MODULE_SIG_SHA1
default "sha224" if MODULE_SIG_SHA224
default "sha256" if MODULE_SIG_SHA256
default "sha384" if MODULE_SIG_SHA384