Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 739472 - sys-kernel/gentoo-sources - sign-file: LibreSSL only supports SHA1 signing for kernel modules
Summary: sys-kernel/gentoo-sources - sign-file: LibreSSL only supports SHA1 signing fo...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Bug Wranglers and Kernel Maintainers
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks: libressl-support
  Show dependency tree
 
Reported: 2020-08-29 01:22 UTC by tonemgub
Modified: 2020-08-29 14:24 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
sign-file: full functionality with modern LibreSSL (sign-file-full-functionality-with-modern-LibreSSL.diff,624 bytes, patch)
2020-08-29 01:25 UTC, tonemgub
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description tonemgub 2020-08-29 01:22:11 UTC
As reported on the forum: https://forums.gentoo.org/viewtopic-t-1107190-highlight-.html

Linux kernel currently is bugged when LibreSSL is used and refuses to support anything higher than SHA1 for module signing. Since SHA1 is mostly considered insecure and prone to collision attacks it is pretty typical to use SHA256. See URL for current upstream bug.

The patch there is currently lying around in limbo for the past few months, so until they get around to landing, it should be included in Gentoo if libressl is used.

Reproducible: Always



Expected Results:  
Kernel should build with LibreSSL supporting SHA256/512 etc.
Comment 1 tonemgub 2020-08-29 01:25:39 UTC
Created attachment 657348 [details, diff]
sign-file: full functionality with modern LibreSSL

Patch from upstream kernel.org
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-08-29 11:42:28 UTC
I tend to reject this patch.

There's a reason why upstream did not accept the patch.

Also, current stable libressl version in Gentoo is 

> /var/tmp/portage/dev-libs/libressl-3.1.3/image/usr/include/openssl/opensslv.h:#define LIBRESSL_VERSION_NUMBER 0x3010300fL

so we do not really need this patch.
Comment 3 tonemgub 2020-08-29 14:24:22 UTC
(In reply to Thomas Deutschmann from comment #2)
> 
> so we do not really need this patch.

For some reason compiling with module signing >=SHA256 still fails on latest stable kernel and latest stable LibreSSL for me. Same error.