module: Do not offer sha224 for built-in module signing

sha224 does not provide enough security against collision attacks
relative to the default keys used for signing (RSA 4k & P-384). Also
sha224 never became popular, as sha256 got widely adopter ahead of
sha224 being introduced.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 19a53d5e77362c75ed8bd7625474dedfd78ae6a4..9d7d45525fc47c4a95a4dca831a6979a0bc7c7ba 100644 (file)
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -236,10 +236,6 @@ choice
          possible to load a signed module containing the algorithm to check
          the signature on that module.
 
-config MODULE_SIG_SHA224
-       bool "Sign modules with SHA-224"
-       select CRYPTO_SHA256
-
 config MODULE_SIG_SHA256
        bool "Sign modules with SHA-256"
        select CRYPTO_SHA256
@@ -257,7 +253,6 @@ endchoice
 config MODULE_SIG_HASH
        string
        depends on MODULE_SIG || IMA_APPRAISE_MODSIG
-       default "sha224" if MODULE_SIG_SHA224
        default "sha256" if MODULE_SIG_SHA256
        default "sha384" if MODULE_SIG_SHA384
        default "sha512" if MODULE_SIG_SHA512