[PATCH 1/2] module: Remove SHA-1 support for module signing

Keyrings Archive mirror
 help / color / mirror / Atom feed

From: Petr Pavlu <petr.pavlu@suse.com>
To: David Howells <dhowells@redhat.com>,
	David Woodhouse <dwmw2@infradead.org>,
	Luis Chamberlain <mcgrof@kernel.org>,
	Petr Pavlu <petr.pavlu@suse.com>,
	Daniel Gomez <da.gomez@kernel.org>,
	Sami Tolvanen <samitolvanen@google.com>,
	Aaron Tomlin <atomlin@atomlin.com>
Cc: keyrings@vger.kernel.org, linux-modules@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] module: Remove SHA-1 support for module signing
Date: Tue, 11 Nov 2025 16:48:31 +0100	[thread overview]
Message-ID: <20251111154923.978181-2-petr.pavlu@suse.com> (raw)
In-Reply-To: <20251111154923.978181-1-petr.pavlu@suse.com>

SHA-1 is considered deprecated and insecure due to vulnerabilities that can
lead to hash collisions. Most distributions have already been using SHA-2
for module signing because of this. The default was also changed last year
from SHA-1 to SHA-512 in commit f3b93547b91a ("module: sign with sha512
instead of sha1 by default"). This was not reported to cause any issues.
Therefore, it now seems to be a good time to remove SHA-1 support for
module signing.

Commit 16ab7cb5825f ("crypto: pkcs7 - remove sha1 support") previously
removed support for reading PKCS#7/CMS signed with SHA-1, along with the
ability to use SHA-1 for module signing. This change broke iwd and was
subsequently completely reverted in commit 203a6763ab69 ("Revert "crypto:
pkcs7 - remove sha1 support""). However, dropping only the support for
using SHA-1 for module signing is unrelated and can still be done
separately.

Note that this change only removes support for new modules to be SHA-1
signed, but already signed modules can still be loaded.

Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
---
 kernel/module/Kconfig | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 2a1beebf1d37..be74917802ad 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -299,10 +299,6 @@ choice
 	  possible to load a signed module containing the algorithm to check
 	  the signature on that module.

-config MODULE_SIG_SHA1
-	bool "SHA-1"
-	select CRYPTO_SHA1
-
 config MODULE_SIG_SHA256
 	bool "SHA-256"
 	select CRYPTO_SHA256
@@ -332,7 +328,6 @@ endchoice
 config MODULE_SIG_HASH
 	string
 	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
-	default "sha1" if MODULE_SIG_SHA1
 	default "sha256" if MODULE_SIG_SHA256
 	default "sha384" if MODULE_SIG_SHA384
 	default "sha512" if MODULE_SIG_SHA512
-- 
2.51.1

next prev parent reply	other threads:[~2025-11-11 15:49 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-11 15:48 [PATCH 0/2] module: Remove SHA-1 support for module signing Petr Pavlu
2025-11-11 15:48 ` Petr Pavlu [this message]
2025-11-11 22:37   ` [PATCH 1/2] " Aaron Tomlin
2025-11-11 15:48 ` [PATCH 2/2] sign-file: Remove support for signing with PKCS#7 Petr Pavlu
2025-11-11 16:53   ` James Bottomley
2025-11-12 13:51     ` Petr Pavlu
2025-11-12 15:05       ` James Bottomley
2025-11-12 15:36       ` David Howells
2025-11-12 15:47         ` James Bottomley
2025-11-12 15:52           ` David Howells
2025-11-12 15:58             ` James Bottomley
2026-02-02 11:24   ` [PATCH] sign-file, pkcs7: Honour the hash parameter to sign-file David Howells
2026-02-02 11:27     ` David Howells
2026-02-02 12:25     ` Petr Pavlu
2026-02-02 17:01       ` Sami Tolvanen
2025-11-11 16:22 ` [PATCH 0/2] module: Remove SHA-1 support for module signing Sami Tolvanen
2025-12-22 20:24 ` Sami Tolvanen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2a1beebf1d3 dfblob:be74917802a )
 OR (
bs:"[PATCH 1/2] module: Remove SHA-1 support for module signing" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251111154923.978181-2-petr.pavlu@suse.com \
    --to=petr.pavlu@suse.com \
    --cc=atomlin@atomlin.com \
    --cc=da.gomez@kernel.org \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-modules@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=samitolvanen@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).