Description of problem: $ uname -r 4.12.8-300.fc26.x86_64 $ modinfo usb-storage ... sig_key: sig_hashalgo: md4 Note, this applies to all kernel modules. On RHEL 7 systems a key and SHA-256 is used. Shouldn't the Fedora kernel modules be signed with the same cryptographic mechanisms as RHEL? At least MD4 should replaced.
The kernel config file has this set to SHA256: CONFIG_MODULE_SIG=y # CONFIG_MODULE_SIG_FORCE is not set CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA1 is not set # CONFIG_MODULE_SIG_SHA224 is not set CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_SHA384 is not set # CONFIG_MODULE_SIG_SHA512 is not set CONFIG_MODULE_SIG_HASH="sha256" md4 isn't even an option. Perhaps this is a bug in modinfo?
This is quite odd, just noticed the same when building my own kernel. Did use Fedora 27's latest kernels config from /boot. Copied the module in question to a CentOS 7 machine, and it shows no signature information at all there. Then copied it to a gentoo machine (rebuild/updated kmod before checking) and that shows md4 as well. It's also notable the signature is way longer than what CentOS reports on it's own modules. On Fedora 27 (my module): root@builder3 /home/ferry/kernel/linux-4.14.15 # modinfo /lib/modules/4.14.15/kernel/sound/soundcore.ko.xz filename: /lib/modules/4.14.15/kernel/sound/soundcore.ko.xz alias: char-major-14-* license: GPL author: Alan Cox description: Core sound module depends: intree: Y name: soundcore vermagic: 4.14.15 SMP mod_unload sig_id: PKCS#7 signer: sig_key: sig_hashalgo: md4 signature: 30:82:02:18:06:09:2A:86:48:86:F7:0D:01:07:02:A0:82:02:09:30: 82:02:05:02:01:01:31:0D:30:0B:06:09:60:86:48:01:65:03:04:02: 01:30:0B:06:09:2A:86:48:86:F7:0D:01:07:01:31:82:01:E2:30:82: 01:DE:02:01:01:30:81:B8:30:81:AA:31:0B:30:09:06:03:55:04:06: 13:02:4E:4C:31:16:30:14:06:03:55:04:08:0C:0D:4E:6F:6F:72:64: 2D:42:72:61:62:61:6E:74:31:13:30:11:06:03:55:04:07:0C:0A:4F: 69:73:74:65:72:77:69:6A:6B:31:1D:30:1B:06:03:55:04:0A:0C:14: 43:69:74:72:75:73:20:53:6F:66:74:77:61:72:65:20:42:2E:56:2E: 31:30:30:2E:06:03:55:04:03:0C:27:43:69:74:72:75:73:20:53:6F: 66:74:77:61:72:65:20:2D:20:4B:65:72:6E:65:6C:20:4D:6F:64:75: 6C:65:20:53:69:67:6E:69:6E:67:31:1D:30:1B:06:09:2A:86:48:86: F7:0D:01:09:01:16:0E:69:6E:66:6F:40:63:69:74:72:75:73:2E:6E: 6C:02:09:00:A7:00:32:D5:AE:FB:A1:2C:30:0B:06:09:60:86:48:01: 65:03:04:02:01:30:0D:06:09:2A:86:48:86:F7:0D:01:01:01:05:00: 04:82:01:00:5B:89:89:2B:38:50:FD:7F:20:6D:AC:1C:3D:B8:0A:9B: 02:3A:20:F0:49:A7:6E:4A:64:90:64:85:4B:15:93:42:41:04:16:5A: 70:81:3D:72:19:BA:BA:C0:F5:E0:0D:16:B9:F0:96:80:A5:5D:0F:C8: EE:11:E3:CC:91:E8:05:0D:A6:91:D2:79:D9:34:5C:83:66:8A:C6:11: 38:18:EB:DB:1D:9D:55:B5:5C:ED:BA:F4:A9:32:A2:C1:34:63:50:DC: 89:D0:E5:A6:B0:C1:B3:74:49:B0:FC:C0:73:89:51:E6:C1:18:96:58: 5C:82:83:1B:49:88:DB:4D:8E:1C:41:0A:C9:F3:2A:E4:B9:BB:42:9F: 58:4B:E9:3D:8C:0E:0D:BF:91:26:5A:3A:9D:F7:98:06:05:1A:37:CD: 54:32:DE:65:58:3A:99:A5:50:5E:6D:8B:D4:AB:87:36:C6:D4:01:36: FC:E5:A1:AB:E7:98:A8:B8:74:2B:16:8F:4F:5B:62:E1:36:1A:50:E8: CD:62:60:1B:C8:AA:BA:9B:23:1B:D0:2D:D7:1C:E9:01:D2:99:AE:CD: 0E:90:78:76:FC:A4:26:F2:8B:B6:18:11:94:14:15:DD:C9:91:64:06: CC:84:8A:45:5E:02:F5:B3:EB:E3:43:3A:C2:39:F3:97:99:D8:2A:17 parm: preclaim_oss:int CentOS 7 (current kernel's module) [root@web-01 ~]# modinfo /lib/modules/3.10.0-514.10.2.el7.x86_64/kernel/sound/soundcore.ko filename: /lib/modules/3.10.0-514.10.2.el7.x86_64/kernel/sound/soundcore.ko alias: char-major-14-* license: GPL author: Alan Cox description: Core sound module rhelversion: 7.3 srcversion: 5C2138EBC7579D20483929A depends: intree: Y vermagic: 3.10.0-514.10.2.el7.x86_64 SMP mod_unload modversions signer: CentOS Linux kernel signing key sig_key: 27:F2:04:85:EB:EB:3B:2D:54:AD:D6:1E:57:B3:08:FA:E0:70:F4:1F sig_hashalgo: sha256 parm: preclaim_oss:int CentOS 7 (my module - no signing info at all) [root@web-01 ~]# modinfo /tmp/soundcore.ko.xz filename: /tmp/soundcore.ko.xz alias: char-major-14-* license: GPL author: Alan Cox description: Core sound module depends: intree: Y name: soundcore vermagic: 4.14.15 SMP mod_unload parm: preclaim_oss:int Gentoo shows the same output as Fedora 27 so I omitted it.
*** This bug has been marked as a duplicate of bug 1320921 ***