This series can also be retrieved from:

    git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git mldsa-v3

This series adds support for verifying ML-DSA signatures to lib/crypto/.
Patch 1 is the ML-DSA implementation itself.  See that for full details.
Patch 2 adds the KUnit test suite.

The initial use case for this will be kernel module signature
verification.  For more details, see David Howells' patchset
https://lore.kernel.org/linux-crypto/20251120104439.2620205-1-dhowells@redhat.com/

Changed in v3:
- Moved SHAKE128 block buffer off the stack
- Reworked use_hint() again, simplifying it further
- Added unit test for use_hint()
- Moved some of the reduction logic into invntt_and_mul_2_32() and
  simplified it slightly
- Updated Zq_mult() to not rely on signed integer overflow having
  defined behavior, though this is unnecessary in the kernel
- Formatted the documented return values into a list
- Other minor tweaks

Changed in v2:
- Reworked the KUnit test suite
- Improved commit messages and comments
- Added missing MODULE_DESCRIPTION() and MODULE_LICENSE()
- Made the return values of mldsa_verify() differentiate between an
  input being malformed and the "real" signature check failing
- Refactored w1 encoding into a helper function
- Used kfree() instead of kfree_sensitive()
- Avoided unusal C syntax by accessing the hint vector via 'u8 *'
- Reworked use_hint() to be better optimized and documented

Eric Biggers (2):
  lib/crypto: Add ML-DSA verification support
  lib/crypto: tests: Add KUnit tests for ML-DSA verification

 include/crypto/mldsa.h            |   60 +
 lib/crypto/Kconfig                |    7 +
 lib/crypto/Makefile               |    5 +
 lib/crypto/mldsa.c                |  652 ++++++++++
 lib/crypto/tests/Kconfig          |    9 +
 lib/crypto/tests/Makefile         |    1 +
 lib/crypto/tests/mldsa-testvecs.h | 1887 +++++++++++++++++++++++++++++
 lib/crypto/tests/mldsa_kunit.c    |  437 +++++++
 8 files changed, 3058 insertions(+)
 create mode 100644 include/crypto/mldsa.h
 create mode 100644 lib/crypto/mldsa.c
 create mode 100644 lib/crypto/tests/mldsa-testvecs.h
 create mode 100644 lib/crypto/tests/mldsa_kunit.c


base-commit: 3f9f0252130e7dd60d41be0802bf58f6471c691d
-- 
2.52.0

On 2025-12-03 08:28, Eric Biggers wrote:
> This series can also be retrieved from:
> 
>     git fetch
> https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git
> mldsa-v3
> 
> This series adds support for verifying ML-DSA signatures to 
> lib/crypto/.
> Patch 1 is the ML-DSA implementation itself.  See that for full 
> details.
> Patch 2 adds the KUnit test suite.
> 
> The initial use case for this will be kernel module signature
> verification.  For more details, see David Howells' patchset
> https://lore.kernel.org/linux-crypto/20251120104439.2620205-1-dhowells@redhat.com/
> 
> Changed in v3:
> - Moved SHAKE128 block buffer off the stack
> - Reworked use_hint() again, simplifying it further
> - Added unit test for use_hint()
> - Moved some of the reduction logic into invntt_and_mul_2_32() and
>   simplified it slightly
> - Updated Zq_mult() to not rely on signed integer overflow having
>   defined behavior, though this is unnecessary in the kernel
> - Formatted the documented return values into a list
> - Other minor tweaks
> 
> Changed in v2:
> - Reworked the KUnit test suite
> - Improved commit messages and comments
> - Added missing MODULE_DESCRIPTION() and MODULE_LICENSE()
> - Made the return values of mldsa_verify() differentiate between an
>   input being malformed and the "real" signature check failing
> - Refactored w1 encoding into a helper function
> - Used kfree() instead of kfree_sensitive()
> - Avoided unusal C syntax by accessing the hint vector via 'u8 *'
> - Reworked use_hint() to be better optimized and documented
> 
> Eric Biggers (2):
>   lib/crypto: Add ML-DSA verification support
>   lib/crypto: tests: Add KUnit tests for ML-DSA verification
> 
>  include/crypto/mldsa.h            |   60 +
>  lib/crypto/Kconfig                |    7 +
>  lib/crypto/Makefile               |    5 +
>  lib/crypto/mldsa.c                |  652 ++++++++++
>  lib/crypto/tests/Kconfig          |    9 +
>  lib/crypto/tests/Makefile         |    1 +
>  lib/crypto/tests/mldsa-testvecs.h | 1887 +++++++++++++++++++++++++++++
>  lib/crypto/tests/mldsa_kunit.c    |  437 +++++++
>  8 files changed, 3058 insertions(+)
>  create mode 100644 include/crypto/mldsa.h
>  create mode 100644 lib/crypto/mldsa.c
>  create mode 100644 lib/crypto/tests/mldsa-testvecs.h
>  create mode 100644 lib/crypto/tests/mldsa_kunit.c
> 
> 
> base-commit: 3f9f0252130e7dd60d41be0802bf58f6471c691d

Hi Eric, I pulled your branch but it does not build (on s390):

[root@b83lp71 ebiggers-linux]# make
   CALL    scripts/checksyscalls.sh
   MODPOST Module.symvers
ERROR: modpost: module mldsa_kunit uses symbol mldsa_use_hint from 
namespace EXPORTED_FOR_KUNIT_TESTING, but does not import it.
make[2]: *** [scripts/Makefile.modpost:147: Module.symvers] Error 1
make[1]: *** [/ext/ebiggers-linux/Makefile:1963: modpost] Error 2
make: *** [Makefile:248: __sub-make] Error 2
[root@b83lp71 ebiggers-linux]#

any ideas?

Harald Freudenberger

Harald Freudenberger <freude@linux.ibm.com> wrote:

> ERROR: modpost: module mldsa_kunit uses symbol mldsa_use_hint from namespace
> EXPORTED_FOR_KUNIT_TESTING, but does not import it.

Change EXPORT_SYMBOL_FOR_KUNIT() in patch 1 to EXPORT_SYMBOL_GPL().

David

Give or take fixing the symbol export build failure:

Reviewed-by: David Howells <dhowells@redhat.com>
Tested-by: David Howells <dhowells@redhat.com>