diff options
| author | Michael Brown | 2026-01-14 16:51:07 +0100 |
|---|---|---|
| committer | Michael Brown | 2026-01-14 17:10:29 +0100 |
| commit | 46510f36ab721b501b2bc8fc3f1409d2dc091561 (patch) | |
| tree | b363a6448d5addc73f72cb26d256262c7755e8ae /src/interface/linux/linux_umalloc.c | |
| parent | [build] Mark known reviewed files as permitted for UEFI Secure Boot (diff) | |
| download | ipxe-46510f36ab721b501b2bc8fc3f1409d2dc091561.tar.gz ipxe-46510f36ab721b501b2bc8fc3f1409d2dc091561.tar.xz ipxe-46510f36ab721b501b2bc8fc3f1409d2dc091561.zip | |
[build] Mark MD4 and MD5 as forbidden for UEFI Secure Boot
A past security review identified MD4 and MD5 support as features that
ought to be disabled by default. (There is zero impact on UEFI Secure
Boot itself from having these algorithms enabled: this was just a side
comment in the review.)
As noted in the resulting commit 7f2006a ("[crypto] Disable MD5 as an
OID-identifiable algorithm by default"), the actual MD5 code will
almost certainly still be present in the binary due to its implicit
use by various features. Disabling MD5 support via config/crypto.h
simply removes the OID-identified algorithm, which prevents it from
being used as an explicitly identified algorithm (e.g. in an X.509
certificate digest).
Match the intent of this review comment by marking the OID-identified
algorithms for MD4 and MD5 as forbidden for UEFI Secure Boot.
Extend this to also disable the "md4sum" command and the use of the
md5WithRSAEncryption OID-identified algorithm. (The "md5sum" command
is left enabled for historical reasons, and we have no definition for
md4WithRSAEncryption anyway.)
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/interface/linux/linux_umalloc.c')
0 files changed, 0 insertions, 0 deletions