於 二,2013-08-27 於 13:30 +0200,Pavel Machek 提到:
On Tue 2013-08-27 18:22:17, joeyli wrote:
於 日,2013-08-25 於 18:43 +0200,Pavel Machek 提到:
On Thu 2013-08-22 19:01:56, Lee, Chun-Yi wrote:
This patch introduced SNAPSHOT_SIG_HASH config for user to select which hash algorithm will be used during signature generation of snapshot.
v2: Add define check of oCONFIG_SNAPSHOT_VERIFICATION in snapshot.c before declare pkey_hash().
Reviewed-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- kernel/power/Kconfig | 46 ++++++++++++++++++++++++++++++++++++++++++++++ kernel/power/snapshot.c | 27 ++++++++++++++++++++++----- 2 files changed, 68 insertions(+), 5 deletions(-)
diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig index b592d88..79b34fa 100644 --- a/kernel/power/Kconfig +++ b/kernel/power/Kconfig @@ -78,6 +78,52 @@ config SNAPSHOT_VERIFICATION dependent on UEFI environment. EFI bootloader should generate the key-pair.
+choice + prompt "Which hash algorithm should snapshot be signed with?" + depends on SNAPSHOT_VERIFICATION + help + This determines which sort of hashing algorithm will be used during + signature generation of snapshot. This algorithm _must_ be built into + the kernel directly so that signature verification can take place. + It is not possible to load a signed snapshot containing the algorithm + to check the signature on that module.
Like if 1000 ifdefs you already added to the code are not enough, you make some new ones? Pavel
This SNAPSHOT_SIG_HASH kernel config is to select which SHA algorithms used for generate digest of snapshot. The configuration will captured by a const char* in code:
+static const char *snapshot_hash = CONFIG_SNAPSHOT_SIG_HASH; + +static int pkey_hash(void)
So, there doesn't have any ifdef block derived from this new config.
I'd say select one hash function, and use it. There's no need to make it configurable. Pavel
There have better performance when SHA algorithm output shorter hash result. On the other hand, longer hash result provide better security. And, on 64-bits system, the SHA512 has better performance then SHA256. Due to user have different use case and different hardware, why not give them this option to make decision? Thanks a lot! Joey LEe -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org