[coreboot] It appears the build process still uses unverified http wget sources

Nico Huber nico.h at gmx.de
Mon Nov 14 00:26:26 CET 2016

On 14.11.2016 00:06, Taiidan at gmx.com wrote:
> Shouldn't we be using sha256 or sha512? I am not a crypto expert but
> AFIAK couldn't sha1 collisions could be easily generated with the type
> of resources available to someone who would want to attack coreboot?

AFAIK, there is no known attack on SHA-1 yet that could break security
in this scenario (the attacker wouldn't only have to find any collision
but a collision for a given hash which takes a power of 2 in time).

Anyway, there is a patch on review, that makes use of SHA-384 and should
make the checksum generation trustworthy:

> On 11/06/2016 07:15 PM, Iru Cai wrote:
>> buildgcc can verify the SHA1 sum of the tarballs, and the checksum is
>> cloned from the git repository via HTTPS or SSH, so I think we don't need
>> to worry.

Alas, the current checksum is only verified for already downloaded


More information about the coreboot mailing list