Re: Proposal: Remove MD5 / SHA1 support from veriexec

[Sevan Janiyan <venture37%geeklan.co.uk@localhost>]

On 28/08/2017 07:00, Martin Husemann wrote:
> On Sun, Aug 27, 2017 at 10:08:48PM +0100, Sevan Janiyan wrote:
>> Issues related to physical or console access where you're able take the
>> machine down & boot it back up in single user mode is an entirely
>> different discussion which is out of scope for which hash functions
>> veriexec supports :o)
> 
> I still think a new kernel should just support all hashes that we previously
> allowed to be generated, maybe with some prominent warning that the admin
> should (at their conveniance) upgrade the hashes to a more modern algorithm.
> 
> I hate how openssh regularily removes support for things still in use (and
> still in use for *localy* valid reasons). We should do better.
> 
> I don't think booting a new kernel to single user, replacing the hashes,
> then finding later the kernel does not cut it, rebooting old kernel to
> single user and (maybe) needing to regen hashes again is a sane thing.
> 
> But I don't know if we grew any hashes that ancient kernels did not support
> recently, so this may be mood - or a simple documentation issue.
> 
> Martin
> 

Hi Martin,
Apologies for not replying to your earlier email, no objection in
accommodating your requests on how this change should be. Let me test
out what happens on system with an MD5 based signature file when you
replace it with a kernel that lacks MD5 support and report back.
Just for the record, the default hash function used has always been
SHA256 and there haven't been any new ones added since.


Sevan