summaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorDimitri John Ledkov <dimitri.ledkov@canonical.com>2023-10-10 23:25:29 +0200
committerHerbert Xu <herbert@gondor.apana.org.au>2023-10-20 07:39:26 +0200
commitc1d760a47163bec1ecd5c82638c8c234fcbd549e (patch)
treebda5a40aa2bb521e3f6ec5cc4682ea4007890f8b /crypto
parentcrypto: pkcs7 - remove sha1 support (diff)
downloadlinux-c1d760a47163bec1ecd5c82638c8c234fcbd549e.tar.xz
linux-c1d760a47163bec1ecd5c82638c8c234fcbd549e.zip
crypto: mscode_parser - remove sha224 authenticode support
It is possible to stand up own certificates and sign PE-COFF binaries using SHA-224. However it never became popular or needed since it has similar costs as SHA-256. Windows Authenticode infrastructure never had support for SHA-224, and all secureboot keys used fro linux vmlinuz have always been using at least SHA-256. Given the point of mscode_parser is to support interoperatiblity with typical de-facto hashes, remove support for SHA-224 to avoid posibility of creating interoperatibility issues with rhboot/shim, grub, and non-linux systems trying to sign or verify vmlinux. SHA-224 itself is not removed from the kernel, as it is truncated SHA-256. If requested I can write patches to remove SHA-224 support across all of the drivers. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Acked-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto')
-rw-r--r--crypto/asymmetric_keys/mscode_parser.c3
1 files changed, 0 insertions, 3 deletions
diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
index 6416bded0e07..855cbc46a9c3 100644
--- a/crypto/asymmetric_keys/mscode_parser.c
+++ b/crypto/asymmetric_keys/mscode_parser.c
@@ -84,9 +84,6 @@ int mscode_note_digest_algo(void *context, size_t hdrlen,
case OID_sha512:
ctx->digest_algo = "sha512";
break;
- case OID_sha224:
- ctx->digest_algo = "sha224";
- break;
case OID__NR:
sprint_oid(value, vlen, buffer, sizeof(buffer));