From nobody Sat Feb 7 05:57:36 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E8E5381701 for ; Mon, 2 Feb 2026 17:03:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770051796; cv=none; b=eKQtFTGTY17Q3uzWr36y2SJ92g2Uul5Zv1iBd538gSLaL18fkUAB9IW4b/JWHdZ1ydBu4OZK45bzlJPOiEjiHkGboeBOMLv/xsTgqMKujYpXcpfS6RCi4vcTJKjVP0Q1Nhi9oau3cOS6MndRloS/YMBsj4sx8USnmyTBtk2Q0LA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770051796; c=relaxed/simple; bh=JmunaIEXbs043+9JwUHkHh9V0qrC8mzyWXJeVG0xWxc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=W8ZCSdBne5928FPOgi+N4MkFP2lJlsNbPUr3PpZX1ucUh9XMxkkOBWIAtWWzyOo9zgAUslJfGmFXCLVfaKUbfUM0k/6oDtAnt1i11FtV5C2qjPliQfNeBq/Z4b7tcTjB1KqB9ucHZoyAsdXmSJArEacJCjPGHFzeaPy/xHJPMWg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=LOB7AVHF; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="LOB7AVHF" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1770051793; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=emuGvmU5etXPaCSiADv9jKZu+V3rt6HGV4Z241E26m0=; b=LOB7AVHFfy6SK30kzrkgY2nZ0zzIPzrmJ6aVElJXRPAbIh++qxIOpn5wAN3/iZJoQ8y8eK l2TqM1IF+BNWqTTF3R07BWCGjPXNNGmwvdQYKjVZ/Co+jcdMK3m3MoK3p0vJUvlGiOcI/b WFEbWOyCARopWhqQl5+WJxNnUfVyplg= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-444-SNNccy23OR23ITF7gcOfDQ-1; Mon, 02 Feb 2026 12:03:08 -0500 X-MC-Unique: SNNccy23OR23ITF7gcOfDQ-1 X-Mimecast-MFC-AGG-ID: SNNccy23OR23ITF7gcOfDQ_1770051786 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 10AF71956089; Mon, 2 Feb 2026 17:03:06 +0000 (UTC) Received: from warthog.procyon.org.uk.com (unknown [10.44.33.164]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 3AC001800109; Mon, 2 Feb 2026 17:03:00 +0000 (UTC) From: David Howells To: Lukas Wunner , Ignat Korchagin Cc: David Howells , Jarkko Sakkinen , Herbert Xu , Eric Biggers , Luis Chamberlain , Petr Pavlu , Daniel Gomez , Sami Tolvanen , "Jason A . Donenfeld" , Ard Biesheuvel , Stephan Mueller , linux-crypto@vger.kernel.org, keyrings@vger.kernel.org, linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v16 6/7] modsign: Enable ML-DSA module signing Date: Mon, 2 Feb 2026 17:02:11 +0000 Message-ID: <20260202170216.2467036-7-dhowells@redhat.com> In-Reply-To: <20260202170216.2467036-1-dhowells@redhat.com> References: <20260202170216.2467036-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" Allow ML-DSA module signing to be enabled. Note that OpenSSL's CMS_*() function suite does not, as of OpenSSL-3.6, support the use of CMS_NOATTR with ML-DSA, so the prohibition against using signedAttrs with module signing has to be removed. The selected digest then applies only to the algorithm used to calculate the digest stored in the messageDigest attribute. The OpenSSL development branch has patches applied that fix this[1], but it appears that that will only be available in OpenSSL-4. [1] https://github.com/openssl/openssl/pull/28923 sign-file won't set CMS_NOATTR if openssl is earlier than v4, resulting in the use of signed attributes. The ML-DSA algorithm takes the raw data to be signed without regard to what digest algorithm is specified in the CMS message. The CMS specified digest algorithm is ignored unless signedAttrs are used; in such a case, only SHA512 is permitted. Signed-off-by: David Howells cc: Jarkko Sakkinen cc: Eric Biggers cc: Lukas Wunner cc: Ignat Korchagin cc: Stephan Mueller cc: Herbert Xu cc: keyrings@vger.kernel.org cc: linux-crypto@vger.kernel.org --- Documentation/admin-guide/module-signing.rst | 16 ++++---- certs/Kconfig | 40 ++++++++++++++++++++ certs/Makefile | 3 ++ scripts/sign-file.c | 39 ++++++++++++++----- 4 files changed, 82 insertions(+), 16 deletions(-) diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/a= dmin-guide/module-signing.rst index a8667a777490..7f2f127dc76f 100644 --- a/Documentation/admin-guide/module-signing.rst +++ b/Documentation/admin-guide/module-signing.rst @@ -28,10 +28,12 @@ trusted userspace bits. =20 This facility uses X.509 ITU-T standard certificates to encode the public = keys involved. The signatures are not themselves encoded in any industrial sta= ndard -type. The built-in facility currently only supports the RSA & NIST P-384 = ECDSA -public key signing standard (though it is pluggable and permits others to = be -used). The possible hash algorithms that can be used are SHA-2 and SHA-3 = of -sizes 256, 384, and 512 (the algorithm is selected by data in the signatur= e). +type. The built-in facility currently only supports the RSA, NIST P-384 E= CDSA +and NIST FIPS-204 ML-DSA public key signing standards (though it is plugga= ble +and permits others to be used). For RSA and ECDSA, the possible hash +algorithms that can be used are SHA-2 and SHA-3 of sizes 256, 384, and 512= (the +algorithm is selected by data in the signature); ML-DSA does its own hashi= ng, +but is allowed to be used with a SHA512 hash for signed attributes. =20 =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D @@ -146,9 +148,9 @@ into vmlinux) using parameters in the:: =20 file (which is also generated if it does not already exist). =20 -One can select between RSA (``MODULE_SIG_KEY_TYPE_RSA``) and ECDSA -(``MODULE_SIG_KEY_TYPE_ECDSA``) to generate either RSA 4k or NIST -P-384 keypair. +One can select between RSA (``MODULE_SIG_KEY_TYPE_RSA``), ECDSA +(``MODULE_SIG_KEY_TYPE_ECDSA``) and ML-DSA (``MODULE_SIG_KEY_TYPE_MLDSA_*`= `) to +generate an RSA 4k, a NIST P-384 keypair or an ML-DSA 44, 65 or 87 keypair. =20 It is strongly recommended that you provide your own x509.genkey file. =20 diff --git a/certs/Kconfig b/certs/Kconfig index 78307dc25559..8e39a80c7abe 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -39,6 +39,39 @@ config MODULE_SIG_KEY_TYPE_ECDSA Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem, when falling back to building Linux 5.14 and older kernels. =20 +config MODULE_SIG_KEY_TYPE_MLDSA_44 + bool "ML-DSA-44" + select CRYPTO_MLDSA + depends on OPENSSL_SUPPORTS_ML_DSA + help + Use an ML-DSA-44 key (NIST FIPS 204) for module signing. ML-DSA + support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+. With + the latter, the entire module body will be signed; with the former, + signedAttrs will be used as it lacks support for CMS_NOATTR with + ML-DSA. + +config MODULE_SIG_KEY_TYPE_MLDSA_65 + bool "ML-DSA-65" + select CRYPTO_MLDSA + depends on OPENSSL_SUPPORTS_ML_DSA + help + Use an ML-DSA-65 key (NIST FIPS 204) for module signing. ML-DSA + support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+. With + the latter, the entire module body will be signed; with the former, + signedAttrs will be used as it lacks support for CMS_NOATTR with + ML-DSA. + +config MODULE_SIG_KEY_TYPE_MLDSA_87 + bool "ML-DSA-87" + select CRYPTO_MLDSA + depends on OPENSSL_SUPPORTS_ML_DSA + help + Use an ML-DSA-87 key (NIST FIPS 204) for module signing. ML-DSA + support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+. With + the latter, the entire module body will be signed; with the former, + signedAttrs will be used as it lacks support for CMS_NOATTR with + ML-DSA. + endchoice =20 config SYSTEM_TRUSTED_KEYRING @@ -154,4 +187,11 @@ config SYSTEM_BLACKLIST_AUTH_UPDATE keyring. The PKCS#7 signature of the description is set in the key payload. Blacklist keys cannot be removed. =20 +config OPENSSL_SUPPORTS_ML_DSA + def_bool $(success, openssl list -key-managers | grep -q ML-DSA-87) + help + Support for ML-DSA-44/65/87 was added in openssl-3.5, so as long + as older versions are supported, the key types may only be + set after testing the installed binary for support. + endmenu diff --git a/certs/Makefile b/certs/Makefile index f6fa4d8d75e0..3ee1960f9f4a 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -43,6 +43,9 @@ targets +=3D x509_certificate_list ifeq ($(CONFIG_MODULE_SIG_KEY),certs/signing_key.pem) =20 keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) :=3D -newkey ec -pkeyopt ec_pa= ramgen_curve:secp384r1 +keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_MLDSA_44) :=3D -newkey ml-dsa-44 +keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_MLDSA_65) :=3D -newkey ml-dsa-65 +keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_MLDSA_87) :=3D -newkey ml-dsa-87 =20 quiet_cmd_gen_key =3D GENKEY $@ cmd_gen_key =3D openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_H= ASH) -days 36500 \ diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 7070245edfc1..78276b15ab23 100644 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -27,7 +27,7 @@ #include #include #include -#if OPENSSL_VERSION_MAJOR >=3D 3 +#if OPENSSL_VERSION_NUMBER >=3D 0x30000000L # define USE_PKCS11_PROVIDER # include # include @@ -315,18 +315,39 @@ int main(int argc, char **argv) ERR(!digest_algo, "EVP_get_digestbyname"); =20 #ifndef USE_PKCS7 + + unsigned int flags =3D + CMS_NOCERTS | + CMS_PARTIAL | + CMS_BINARY | + CMS_DETACHED | + CMS_STREAM | + CMS_NOSMIMECAP | +#ifdef CMS_NO_SIGNING_TIME + CMS_NO_SIGNING_TIME | +#endif + use_keyid; + +#if OPENSSL_VERSION_NUMBER >=3D 0x30000000L && OPENSSL_VERSION_NUMBER < 0x= 40000000L + if (EVP_PKEY_is_a(private_key, "ML-DSA-44") || + EVP_PKEY_is_a(private_key, "ML-DSA-65") || + EVP_PKEY_is_a(private_key, "ML-DSA-87")) { + /* ML-DSA + CMS_NOATTR is not supported in openssl-3.5 + * and before. + */ + use_signed_attrs =3D 0; + } +#endif + + flags |=3D use_signed_attrs; + /* Load the signature message from the digest buffer. */ - cms =3D CMS_sign(NULL, NULL, NULL, NULL, - CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | - CMS_DETACHED | CMS_STREAM); + cms =3D CMS_sign(NULL, NULL, NULL, NULL, flags); ERR(!cms, "CMS_sign"); =20 - ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, - CMS_NOCERTS | CMS_BINARY | - CMS_NOSMIMECAP | use_keyid | - use_signed_attrs), + ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, flags), "CMS_add1_signer"); - ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) !=3D 1, + ERR(CMS_final(cms, bm, NULL, flags) !=3D 1, "CMS_final"); =20 #else