Linux 6.14 To Switch From SHA1 To SHA512 For Module Signing By Default

Written by Michael Larabel in Linux Kernel on 26 January 2025 at 08:27 PM EST. 16 Comments
LINUX KERNEL
While many Linux distribution vendor kernels are already using SHA-512 for signing modules by default rather than the default SHA-1, the upstream Linux 6.14 kernel is also now switching the default over to using SHA-512 for better security.

With the latest code merged to the mainline Linux 6.14 Git kernel today, SHA512 is now used as the default rather than SHA1 for signing of kernel modules. SHA512 is more modern and much more secure than SHA1 against attacks with SHA1 weaknesses being well known for many years at this point. Many other software components have already discontinued the use of SHA1. SHA1 signing support remains available within the Linux kernel at this time but no longer the default.

OpenSSL used by some current and future Linux distributions also error out when trying to use SHA1 signatures for kernel modules that in turn can lead to kernel build failures.

Kernel SHA512 module default Kconfig


It's a long overdue change for using SHA512 as the upstream default for signing kernel modules and will be part of Linux 6.14 with the code merged today. The SHA512 module signing default was merged today as part of the module changes for this next kernel release.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week