Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717166 - sys-kernel/gentoo-sources sign-file: full functionality with modern LibreSSL [PATCH]
Summary: sys-kernel/gentoo-sources sign-file: full functionality with modern LibreSSL ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement
Assignee: Gentoo Kernel Bug Wranglers and Kernel Maintainers
URL:
Whiteboard: gentoo-sources-5.6.15
Keywords: InVCS
Depends on:
Blocks:
 
Reported: 2020-04-12 04:30 UTC by David Duchesne
Modified: 2020-06-05 15:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Duchesne 2020-04-12 04:30:15 UTC
With latest Libressl (3.1.0), this patch allows to sign modules with other algorithm than SHA1 (SHA256,512 etc..)

https://patchwork.kernel.org/patch/11446123/

Reproducible: Always
Comment 1 Progenyx 2020-04-12 11:55:59 UTC
Actually, CMS functionality is included in LibreSSL since version 3.0.2. The kernel team doesn't need to wait for 3.1.0 to stabilize before they update the sign-file.
Comment 2 David Duchesne 2020-04-12 13:34:55 UTC
(In reply to Progenyx from comment #1)
> Actually, CMS functionality is included in LibreSSL since version 3.0.2. The
> kernel team doesn't need to wait for 3.1.0 to stabilize before they update
> the sign-file.
Ah! Thanks for pointing this out. I hadn't noticed that. It will save me rebuild against Libressl 3.1.0 for my other machines for now.
Comment 3 Stefan Strogin gentoo-dev 2020-04-23 20:14:07 UTC
> CMS functionality is included in LibreSSL since version 3.0.2

AFAIK in 3.0.2 CMS support is partial and disabled by default.
Comment 4 David Duchesne 2020-04-25 12:06:01 UTC
(In reply to Stefan Strogin from comment #3)
> > CMS functionality is included in LibreSSL since version 3.0.2
> 
> AFAIK in 3.0.2 CMS support is partial and disabled by default.

Indeed. I tried the kernel patch with Libressl 3.0.2, it doesn't work. You need 3.1.0 to make it work.
Comment 5 Mike Pagano gentoo-dev 2020-05-20 23:16:49 UTC
This will be in gentoo-sources-5.6.15


commit dee616e55bf3f2ced4f2f4688df60626ed2f6a29 (HEAD -> 5.6, origin/5.6)
Author: Mike Pagano <mpagano@gentoo.org>
Date:   Wed May 20 19:10:07 2020 -0400

    sign-file: full functionality with modern LibreSSL
    
    Bug: https://bugs.gentoo.org/717166
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>
Comment 6 David Duchesne 2020-05-31 09:53:19 UTC
(In reply to Mike Pagano from comment #5)
> This will be in gentoo-sources-5.6.15
> 
> 
> commit dee616e55bf3f2ced4f2f4688df60626ed2f6a29 (HEAD -> 5.6, origin/5.6)
> Author: Mike Pagano <mpagano@gentoo.org>
> Date:   Wed May 20 19:10:07 2020 -0400
> 
>     sign-file: full functionality with modern LibreSSL
>     
>     Bug: https://bugs.gentoo.org/717166
>     
>     Signed-off-by: Mike Pagano <mpagano@gentoo.org>

Great. Thanks Mike.
Any chance this is included for LTS kernel too ? Because I use 5.4.x on all my machines.
Comment 7 Michael 'veremitz' Everitt 2020-05-31 10:55:04 UTC
(In reply to David Duchesne from comment #6)
> 
> Great. Thanks Mike.
> Any chance this is included for LTS kernel too ? Because I use 5.4.x on all
> my machines.

That usually depends on whether it's been added to the stable-queue repos that GregKH maintains, as we try not to carry too many custom patches in Gentoo.

That said, there's nothing stopping you adding it to /etc/portage/patches/<> https://wiki.gentoo.org/wiki//etc/portage/patches ;)
Comment 8 Michael 'veremitz' Everitt 2020-05-31 10:57:03 UTC
FYI - https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/
Comment 9 Mike Pagano gentoo-dev 2020-06-05 15:35:44 UTC
Added to 5.4 and 5.6. Closing.


commit fc41eb3ddc9a0920c23174ef59d9a20cd6415e09
Author: Mike Pagano <mpagano@gentoo.org>
Date:   Tue Jun 2 07:36:46 2020 -0400

    sign-file: full functionality with modern LibreSSL
    
    Bug: https://bugs.gentoo.org/717166
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>