Public bug reported:
[ Impact ]
* Slow secureboot due to unoptimized signature verification algo
[ Test Plan ]
* Check config enforcement:
If CONFIG_MODULE_SIG_(ALG)=y, then CONFIG_CRYPTO_(ALG)* should be =y as
well
[ Where problems could occur ]
* Very old hardware incapable of a given optimisation will not gain
from having optimised algo built-in
[ Other Info ]
* Full details
Default module signing algo should be accelerated
Default crypto signing algorithm for kernel modules, all its accelerated
versions, should be built-in. This is to allow secureboot of accelerated
machines to boot as quickly as possible when verifying each module
signature.
For example:
given CONFIG_MODULE_SIG_SHA512=y
All of
CONFIG_CRYPTO_SHA512 policy<{'amd64': 'y', 'arm64':
'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y', 's390x': 'y'}>
CONFIG_CRYPTO_SHA512 note<'module signing'>
CONFIG_CRYPTO_SHA512_ARM policy<{'armhf': 'm'}>
CONFIG_CRYPTO_SHA512_ARM64 policy<{'arm64': 'm'}>
CONFIG_CRYPTO_SHA512_ARM64_CE policy<{'arm64': 'm'}>
CONFIG_CRYPTO_SHA512_S390 policy<{'s390x': 'm'}>
CONFIG_CRYPTO_SHA512_SSSE3 policy<{'amd64': 'm'}>
Should be =y on secureboot platforms.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2034061
Title:
Default module signing algo should be accelerated
Status in linux package in Ubuntu:
Incomplete
Bug description:
[ Impact ]
* Slow secureboot due to unoptimized signature verification algo
[ Test Plan ]
* Check config enforcement:
If CONFIG_MODULE_SIG_(ALG)=y, then CONFIG_CRYPTO_(ALG)* should be =y
as well
[ Where problems could occur ]
* Very old hardware incapable of a given optimisation will not gain
from having optimised algo built-in
[ Other Info ]
* Full details
Default module signing algo should be accelerated
Default crypto signing algorithm for kernel modules, all its
accelerated versions, should be built-in. This is to allow secureboot
of accelerated machines to boot as quickly as possible when verifying
each module signature.
For example:
given CONFIG_MODULE_SIG_SHA512=y
All of
CONFIG_CRYPTO_SHA512 policy<{'amd64': 'y',
'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y', 's390x': 'y'}>
CONFIG_CRYPTO_SHA512 note<'module signing'>
CONFIG_CRYPTO_SHA512_ARM policy<{'armhf': 'm'}>
CONFIG_CRYPTO_SHA512_ARM64 policy<{'arm64': 'm'}>
CONFIG_CRYPTO_SHA512_ARM64_CE policy<{'arm64': 'm'}>
CONFIG_CRYPTO_SHA512_S390 policy<{'s390x': 'm'}>
CONFIG_CRYPTO_SHA512_SSSE3 policy<{'amd64': 'm'}>
Should be =y on secureboot platforms.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2034061/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
