Sign kernel modules with SHA-512

An XCCDF Rule

Details
Profiles
Prose

Description

This configures the kernel to build and sign modules using SHA512 as the hash function. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_SHA512, run the following command: grep CONFIG_MODULE_SIG_SHA512 /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Use of strong hash function is important to secure the module against counterfeit signatures.

ID: xccdf_org.ssgproject.content_rule_kernel_config_module_sig_sha512
Severity: Medium
References: BP28(R18)
Updated: about 1 year ago