From nobody Sun Feb 8 03:58:14 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C338D46AEE6 for ; Tue, 20 Jan 2026 14:52:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768920740; cv=none; b=gcW0iTwonR+PlZKmilGoyUv7zUBFfnpStokuy64i6pKhubNHDTfrj49AeRQSDKK+l6oTzuT3TUexWQ2ylRD5kb98uSyW946eR6faJ6OcbjIxYprlF63WaMdPGrBO64yjTsb69lY+wkykIArs96ixXRQV68vdTK4kIiBGLfv2OPc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768920740; c=relaxed/simple; bh=h7knfspR3Ir1UVvoWpg+bi9rqNy2bB9eq2BYBUvGfGs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KsCV/pJtMCqKYs6k+A+GTF4KdG9BWN1hvUnVqcUCTQRsDXrJ1+ap4Wn+Nnoh67gSBEhfquqQoMfhwqVjVZh+v0A9VLcYB5XnvAezrZMPNbAubB659gehW8R/kJaWUGBY9jTVjnOtiZIitfVwEImRab0Fdn2Iygkc1lf1weH6Y3o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=eFvYQqVg; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="eFvYQqVg" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1768920738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9qZO8xa9s9Et02ra1tPoQRn1/avY/YJzUAJ+C3oYdYM=; b=eFvYQqVgfk0DAPWjXjxXUp+1sZcXHUrpmwAZ2QLNHMMtMMCniFEWYwL6AdBCO7r3C3qXFt ib9uqGEXufPzDaixDbMerZEQ3neAgvHpoGeS5QOKV6cY0J+KQxZk2Sbi1or8E1nYyHiSJS N+3NYQDEJPnZFjiXPc+i4qmvDUgyago= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-281-bCDKbSl1PfC7z-icvcOssA-1; Tue, 20 Jan 2026 09:52:14 -0500 X-MC-Unique: bCDKbSl1PfC7z-icvcOssA-1 X-Mimecast-MFC-AGG-ID: bCDKbSl1PfC7z-icvcOssA_1768920732 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 89ACE1956058; Tue, 20 Jan 2026 14:52:12 +0000 (UTC) Received: from warthog.procyon.org.uk.com (unknown [10.42.28.2]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 46F5219560AB; Tue, 20 Jan 2026 14:52:07 +0000 (UTC) From: David Howells To: Lukas Wunner , Ignat Korchagin Cc: David Howells , Jarkko Sakkinen , Herbert Xu , Eric Biggers , Luis Chamberlain , Petr Pavlu , Daniel Gomez , Sami Tolvanen , "Jason A . Donenfeld" , Ard Biesheuvel , Stephan Mueller , linux-crypto@vger.kernel.org, keyrings@vger.kernel.org, linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v13 11/12] x509, pkcs7: Limit crypto combinations that may be used for module signing Date: Tue, 20 Jan 2026 14:50:57 +0000 Message-ID: <20260120145103.1176337-12-dhowells@redhat.com> In-Reply-To: <20260120145103.1176337-1-dhowells@redhat.com> References: <20260120145103.1176337-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" Limit the set of crypto combinations that may be used for module signing as no indication of hash algorithm used for signing is added to the hash of the data, so in theory a data blob hashed with a different algorithm can be substituted provided it has the same hash output. This also rejects the use of less secure algorithms. Signed-off-by: David Howells cc: Lukas Wunner cc: Ignat Korchagin cc: Stephan Mueller cc: Eric Biggers cc: Herbert Xu cc: keyrings@vger.kernel.org cc: linux-crypto@vger.kernel.org --- crypto/asymmetric_keys/public_key.c | 55 +++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/p= ublic_key.c index 13a5616becaa..90b98e1a952d 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -24,6 +24,52 @@ MODULE_DESCRIPTION("In-software asymmetric public-key su= btype"); MODULE_AUTHOR("Red Hat, Inc."); MODULE_LICENSE("GPL"); =20 +struct public_key_restriction { + const char *pkey_algo; /* Signing algorithm (e.g. "rsa") */ + const char *pkey_enc; /* Signature encoding (e.g. "pkcs1") */ + const char *hash_algo; /* Content hash algorithm (e.g. "sha256") */ +}; + +static const struct public_key_restriction public_key_restrictions[] =3D { + /* algo encoding hash */ + { "rsa", "pkcs1", "sha256" }, + { "rsa", "pkcs1", "sha384" }, + { "rsa", "pkcs1", "sha512" }, + { "rsa", "emsa-pss", "sha512" }, + { "ecdsa", "x962", "sha256" }, + { "ecdsa", "x962", "sha384" }, + { "ecdsa", "x962", "sha512" }, + { "ecrdsa", "raw", "sha256" }, + { "ecrdsa", "raw", "sha384" }, + { "ecrdsa", "raw", "sha512" }, + { "mldsa44", "raw", "sha512" }, + { "mldsa65", "raw", "sha512" }, + { "mldsa87", "raw", "sha512" }, + /* ML-DSA may also do its own hashing over the entire message. */ + { "mldsa44", "raw", "-" }, + { "mldsa65", "raw", "-" }, + { "mldsa87", "raw", "-" }, +}; + +/* + * Determine if a particular key/hash combination is allowed. + */ +static int is_public_key_sig_allowed(const struct public_key_signature *si= g) +{ + for (int i =3D 0; i < ARRAY_SIZE(public_key_restrictions); i++) { + if (strcmp(public_key_restrictions[i].pkey_algo, sig->pkey_algo) !=3D 0) + continue; + if (strcmp(public_key_restrictions[i].pkey_enc, sig->encoding) !=3D 0) + continue; + if (strcmp(public_key_restrictions[i].hash_algo, sig->hash_algo) !=3D 0) + continue; + return 0; + } + pr_warn_once("Public key signature combo (%s,%s,%s) rejected\n", + sig->pkey_algo, sig->encoding, sig->hash_algo); + return -EKEYREJECTED; +} + /* * Provide a part of a description of the key for /proc/keys. */ @@ -391,12 +437,17 @@ int public_key_verify_signature(const struct public_k= ey *pkey, bool issig; int ret; =20 - pr_devel("=3D=3D>%s()\n", __func__); - BUG_ON(!pkey); BUG_ON(!sig); BUG_ON(!sig->s); =20 + ret =3D is_public_key_sig_allowed(sig); + if (ret < 0) + return ret; + + pr_devel("=3D=3D>%s(%s,%s,%s)\n", + __func__, sig->pkey_algo, sig->encoding, sig->hash_algo); + /* * If the signature specifies a public key algorithm, it *must* match * the key's actual public key algorithm.