Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 739472

Summary: sys-kernel/gentoo-sources - sign-file: LibreSSL only supports SHA1 signing for kernel modules
Product: Gentoo Linux Reporter: tonemgub
Component: Current packagesAssignee: Gentoo Kernel Bug Wranglers and Kernel Maintainers <kernel>
Status: RESOLVED INVALID    
Severity: normal Keywords: PATCH
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.kernel.org/show_bug.cgi?id=202159
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 561854    
Attachments: sign-file: full functionality with modern LibreSSL

Description tonemgub 2020-08-29 01:22:11 UTC 
As reported on the forum: https://forums.gentoo.org/viewtopic-t-1107190-highlight-.html

Linux kernel currently is bugged when LibreSSL is used and refuses to support anything higher than SHA1 for module signing. Since SHA1 is mostly considered insecure and prone to collision attacks it is pretty typical to use SHA256. See URL for current upstream bug.

The patch there is currently lying around in limbo for the past few months, so until they get around to landing, it should be included in Gentoo if libressl is used.

Reproducible: Always



Expected Results:  
Kernel should build with LibreSSL supporting SHA256/512 etc.
Comment 1 tonemgub 2020-08-29 01:25:39 UTC 
Created attachment 657348 [details, diff]
sign-file: full functionality with modern LibreSSL

Patch from upstream kernel.org
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-08-29 11:42:28 UTC 
I tend to reject this patch.

There's a reason why upstream did not accept the patch.

Also, current stable libressl version in Gentoo is 

> /var/tmp/portage/dev-libs/libressl-3.1.3/image/usr/include/openssl/opensslv.h:#define LIBRESSL_VERSION_NUMBER 0x3010300fL

so we do not really need this patch.
Comment 3 tonemgub 2020-08-29 14:24:22 UTC 
(In reply to Thomas Deutschmann from comment #2)
> 
> so we do not really need this patch.

For some reason compiling with module signing >=SHA256 still fails on latest stable kernel and latest stable LibreSSL for me. Same error.
Comment 4 Mike Pagano gentoo-dev 2021-01-02 00:14:01 UTC 
The process to remove libressl form gentoo has been initiated and is tracked at:

Bug 762847 - dev-libs/libressl: Removal