From nobody Sun Feb  8 05:07:49 2026
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5431C466B6E
	for <linux-kernel@vger.kernel.org>; Tue, 20 Jan 2026 14:52:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768920732; cv=none;
 b=CnZ+Tn0HBiAoc6m3pEyy2cMl8DIZUDp+6x53bLmVBNSVpKK3f3K5a4N3GaBjmIrAyEXxXii7wNOXZsIAM+EHe/iO8xZtMKL/08XkB3uWZ8zBnT0UXKx+x9fLidCwIEmrIJ55YLzQg/l9e3NVn0LhnCD81VfYWG3LmX7HHtkvg/Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768920732; c=relaxed/simple;
	bh=Q+uHu4u/Mbi+H9rK60Sh6pfaEXhFj8X2WigDcbk50uM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=eI980+WQU6YlRsCxhVujo4MhXRfov2lKkd6shSC+JxLn6feSr2qI4cN9r8gW29k3ULDp1MBjndWGhr6uAp4iLjZrQ1iPrtDyF2TfflRnJY55kXQFvZ16L0/vSmXyCCZR9J7fE8NJ3F7RxDAnHfmnejdzqjAZbLySByEqWRKZ2X4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=BwLdBl16; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="BwLdBl16"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1768920729;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=5ONdEFTmuicRpc0uh8shFoPeyhLNYTCObn7PLvjP6bE=;
	b=BwLdBl16cpFAhpt0xmf+DX5mzL7uOdybzS3cz85BG2OyGXvikbNhq0+l+nHxIxCVDReMTy
	lgQ5r/NV6CXHQ7x55yWwA0ZvEKRmB1FdRLu7o1H8JSIqhT9iUTAIDjk54JXN3xs/0z6auN
	Tw7HQANeKyGc+ybxWgwdPId4/DJbI+g=
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-346-bnZRZQjPMv-mUWpXnO0GdQ-1; Tue,
 20 Jan 2026 09:52:04 -0500
X-MC-Unique: bnZRZQjPMv-mUWpXnO0GdQ-1
X-Mimecast-MFC-AGG-ID: bnZRZQjPMv-mUWpXnO0GdQ_1768920720
Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 88E5C19560B7;
	Tue, 20 Jan 2026 14:52:00 +0000 (UTC)
Received: from warthog.procyon.org.uk.com (unknown [10.42.28.2])
	by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id BFEE818001D5;
	Tue, 20 Jan 2026 14:51:56 +0000 (UTC)
From: David Howells <dhowells@redhat.com>
To: Lukas Wunner <lukas@wunner.de>,
	Ignat Korchagin <ignat@cloudflare.com>
Cc: David Howells <dhowells@redhat.com>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Eric Biggers <ebiggers@kernel.org>,
	Luis Chamberlain <mcgrof@kernel.org>,
	Petr Pavlu <petr.pavlu@suse.com>,
	Daniel Gomez <da.gomez@kernel.org>,
	Sami Tolvanen <samitolvanen@google.com>,
	"Jason A . Donenfeld" <Jason@zx2c4.com>,
	Ard Biesheuvel <ardb@kernel.org>,
	Stephan Mueller <smueller@chronox.de>,
	linux-crypto@vger.kernel.org,
	keyrings@vger.kernel.org,
	linux-modules@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH v13 09/12] modsign: Enable RSASSA-PSS module signing
Date: Tue, 20 Jan 2026 14:50:55 +0000
Message-ID: <20260120145103.1176337-10-dhowells@redhat.com>
In-Reply-To: <20260120145103.1176337-1-dhowells@redhat.com>
References: <20260120145103.1176337-1-dhowells@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111
Content-Type: text/plain; charset="utf-8"

Add support for RSASSA-PSS signatures (RFC8017) for use with module signing
and other public key cryptography done by the kernel.

Note that only signature verification is supported by the kernel.

Note further that this alters some of the same code as the MLDSA support,
so that needs to be applied first to avoid conflicts.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Ignat Korchagin <ignat@cloudflare.com>
cc: Lukas Wunner <lukas@wunner.de>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org
---
 Documentation/admin-guide/module-signing.rst |  5 ++-
 certs/Kconfig                                |  6 +++
 certs/Makefile                               |  1 +
 scripts/sign-file.c                          | 39 +++++++++++++++++++-
 4 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/a=
dmin-guide/module-signing.rst
index 7f2f127dc76f..aa24715cd2d8 100644
--- a/Documentation/admin-guide/module-signing.rst
+++ b/Documentation/admin-guide/module-signing.rst
@@ -32,8 +32,9 @@ type.  The built-in facility currently only supports the =
RSA, NIST P-384 ECDSA
 and NIST FIPS-204 ML-DSA public key signing standards (though it is plugga=
ble
 and permits others to be used).  For RSA and ECDSA, the possible hash
 algorithms that can be used are SHA-2 and SHA-3 of sizes 256, 384, and 512=
 (the
-algorithm is selected by data in the signature); ML-DSA does its own hashi=
ng,
-but is allowed to be used with a SHA512 hash for signed attributes.
+algorithm is selected by data in the signature); RSASSA-PSS is allowed to =
use
+SHA512 only; ML-DSA does its own hashing, but is allowed to be used with a
+SHA512 hash for signed attributes.
=20
=20
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
diff --git a/certs/Kconfig b/certs/Kconfig
index 67a5786423b5..524d1747c541 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -27,6 +27,12 @@ config MODULE_SIG_KEY_TYPE_RSA
 	help
 	 Use an RSA key for module signing.
=20
+config MODULE_SIG_KEY_TYPE_RSASSA_PSS
+	bool "RSASSA-PSS"
+	select CRYPTO_RSA
+	help
+	 Use an RSASSA-PSS key for module signing.
+
 config MODULE_SIG_KEY_TYPE_ECDSA
 	bool "ECDSA"
 	select CRYPTO_ECDSA
diff --git a/certs/Makefile b/certs/Makefile
index 3ee1960f9f4a..3b5a3a303f4c 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -42,6 +42,7 @@ targets +=3D x509_certificate_list
 # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
 ifeq ($(CONFIG_MODULE_SIG_KEY),certs/signing_key.pem)
=20
+keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_RSASSA_PSS) :=3D -newkey rsassa-pss
 keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) :=3D -newkey ec -pkeyopt ec_pa=
ramgen_curve:secp384r1
 keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_MLDSA_44) :=3D -newkey ml-dsa-44
 keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_MLDSA_65) :=3D -newkey ml-dsa-65
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 547b97097230..800e2e2e36c3 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -233,6 +233,7 @@ int main(int argc, char **argv)
 	EVP_PKEY *private_key;
 #ifndef USE_PKCS7
 	CMS_ContentInfo *cms =3D NULL;
+	CMS_SignerInfo *signer;
 	unsigned int use_keyid =3D 0;
 #else
 	PKCS7 *pkcs7 =3D NULL;
@@ -338,12 +339,46 @@ int main(int argc, char **argv)
=20
 		flags |=3D use_signed_attrs;
=20
+		if (EVP_PKEY_is_a(private_key, "RSASSA-PSS")) {
+			EVP_PKEY_CTX *pkctx;
+			char mdname[1024] =3D {};
+
+			pkctx =3D EVP_PKEY_CTX_new(private_key, NULL);
+
+			ERR(!EVP_PKEY_sign_init(pkctx), "EVP_PKEY_sign_init");
+			ERR(!EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING),
+			    "EVP_PKEY_CTX_set_rsa_padding");
+			ERR(!EVP_PKEY_CTX_set_rsa_mgf1_md_name(pkctx, hash_algo, NULL),
+			    "EVP_PKEY_CTX_set_rsa_mgf1_md_name");
+
+			ERR(!EVP_PKEY_CTX_get_rsa_mgf1_md_name(pkctx, mdname, sizeof(mdname)),
+			    "EVP_PKEY_CTX_get_rsa_mgf1_md_name");
+			printf("RSASSA-PSS %s\n", mdname);
+			flags |=3D CMS_KEY_PARAM;
+		}
+
 		/* Load the signature message from the digest buffer. */
 		cms =3D CMS_sign(NULL, NULL, NULL, NULL, flags);
 		ERR(!cms, "CMS_sign");
=20
-		ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, flags),
-		    "CMS_add1_signer");
+		signer =3D CMS_add1_signer(cms, x509, private_key, digest_algo, flags);
+		ERR(!signer, "CMS_add1_signer");
+
+		if (EVP_PKEY_is_a(private_key, "RSASSA-PSS")) {
+			EVP_PKEY_CTX *pkctx;
+			char mdname[1024] =3D {};
+
+			pkctx =3D CMS_SignerInfo_get0_pkey_ctx(signer);
+			ERR(!EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING),
+			    "EVP_PKEY_CTX_set_rsa_padding");
+			ERR(!EVP_PKEY_CTX_set_rsa_mgf1_md_name(pkctx, hash_algo, NULL),
+			    "EVP_PKEY_CTX_set_rsa_mgf1_md_name");
+
+			ERR(!EVP_PKEY_CTX_get_rsa_mgf1_md_name(pkctx, mdname, sizeof(mdname)),
+			    "EVP_PKEY_CTX_get_rsa_mgf1_md_name");
+			printf("RSASSA-PSS %s\n", mdname);
+		}
+
 		ERR(CMS_final(cms, bm, NULL, flags) !=3D 1,
 		    "CMS_final");