With latest Libressl (3.1.0), this patch allows to sign modules with other algorithm than SHA1 (SHA256,512 etc..) https://patchwork.kernel.org/patch/11446123/ Reproducible: Always
Actually, CMS functionality is included in LibreSSL since version 3.0.2. The kernel team doesn't need to wait for 3.1.0 to stabilize before they update the sign-file.
(In reply to Progenyx from comment #1) > Actually, CMS functionality is included in LibreSSL since version 3.0.2. The > kernel team doesn't need to wait for 3.1.0 to stabilize before they update > the sign-file. Ah! Thanks for pointing this out. I hadn't noticed that. It will save me rebuild against Libressl 3.1.0 for my other machines for now.
> CMS functionality is included in LibreSSL since version 3.0.2 AFAIK in 3.0.2 CMS support is partial and disabled by default.
(In reply to Stefan Strogin from comment #3) > > CMS functionality is included in LibreSSL since version 3.0.2 > > AFAIK in 3.0.2 CMS support is partial and disabled by default. Indeed. I tried the kernel patch with Libressl 3.0.2, it doesn't work. You need 3.1.0 to make it work.
This will be in gentoo-sources-5.6.15 commit dee616e55bf3f2ced4f2f4688df60626ed2f6a29 (HEAD -> 5.6, origin/5.6) Author: Mike Pagano <mpagano@gentoo.org> Date: Wed May 20 19:10:07 2020 -0400 sign-file: full functionality with modern LibreSSL Bug: https://bugs.gentoo.org/717166 Signed-off-by: Mike Pagano <mpagano@gentoo.org>
(In reply to Mike Pagano from comment #5) > This will be in gentoo-sources-5.6.15 > > > commit dee616e55bf3f2ced4f2f4688df60626ed2f6a29 (HEAD -> 5.6, origin/5.6) > Author: Mike Pagano <mpagano@gentoo.org> > Date: Wed May 20 19:10:07 2020 -0400 > > sign-file: full functionality with modern LibreSSL > > Bug: https://bugs.gentoo.org/717166 > > Signed-off-by: Mike Pagano <mpagano@gentoo.org> Great. Thanks Mike. Any chance this is included for LTS kernel too ? Because I use 5.4.x on all my machines.
(In reply to David Duchesne from comment #6) > > Great. Thanks Mike. > Any chance this is included for LTS kernel too ? Because I use 5.4.x on all > my machines. That usually depends on whether it's been added to the stable-queue repos that GregKH maintains, as we try not to carry too many custom patches in Gentoo. That said, there's nothing stopping you adding it to /etc/portage/patches/<> https://wiki.gentoo.org/wiki//etc/portage/patches ;)
FYI - https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/
Added to 5.4 and 5.6. Closing. commit fc41eb3ddc9a0920c23174ef59d9a20cd6415e09 Author: Mike Pagano <mpagano@gentoo.org> Date: Tue Jun 2 07:36:46 2020 -0400 sign-file: full functionality with modern LibreSSL Bug: https://bugs.gentoo.org/717166 Signed-off-by: Mike Pagano <mpagano@gentoo.org>