Re: Proposal: Remove MD5 / SHA1 support from veriexec

[Martin Husemann <martin%duskware.de@localhost>]

On Sun, Aug 27, 2017 at 10:08:48PM +0100, Sevan Janiyan wrote:
> Issues related to physical or console access where you're able take the
> machine down & boot it back up in single user mode is an entirely
> different discussion which is out of scope for which hash functions
> veriexec supports :o)

I still think a new kernel should just support all hashes that we previously
allowed to be generated, maybe with some prominent warning that the admin
should (at their conveniance) upgrade the hashes to a more modern algorithm.

I hate how openssh regularily removes support for things still in use (and
still in use for *localy* valid reasons). We should do better.

I don't think booting a new kernel to single user, replacing the hashes,
then finding later the kernel does not cut it, rebooting old kernel to
single user and (maybe) needing to regen hashes again is a sane thing.

But I don't know if we grew any hashes that ancient kernels did not support
recently, so this may be mood - or a simple documentation issue.

Martin