[coreboot] It appears the build process still uses unverified http wget sources
Nico Huber
nico.h at gmx.de
Mon Nov 14 00:26:26 CET 2016
On 14.11.2016 00:06, Taiidan at gmx.com wrote:
> Shouldn't we be using sha256 or sha512? I am not a crypto expert but
> AFIAK couldn't sha1 collisions could be easily generated with the type
> of resources available to someone who would want to attack coreboot?
AFAIK, there is no known attack on SHA-1 yet that could break security
in this scenario (the attacker wouldn't only have to find any collision
but a collision for a given hash which takes a power of 2 in time).
Anyway, there is a patch on review, that makes use of SHA-384 and should
make the checksum generation trustworthy:
https://review.coreboot.org/#/c/15170/
>
>
> On 11/06/2016 07:15 PM, Iru Cai wrote:
>> buildgcc can verify the SHA1 sum of the tarballs, and the checksum is
>> cloned from the git repository via HTTPS or SSH, so I think we don't need
>> to worry.
Alas, the current checksum is only verified for already downloaded
files.
Nico
More information about the coreboot
mailing list