From nobody Fri Dec 19 19:01:36 2025 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77DD925CC74 for ; Fri, 7 Nov 2025 10:05:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762509954; cv=none; b=Mbd/OiqQh4VXhQuUBDX/GfyXKw7XHEhSw7Ughhw7bU8aCvTU2WQVt5XnRcqTaVeFaUSDBwOCuVSTrD6tMS3s+Biy048jzBt03BOkMHBFIXB/ecFUejD7I/3AvtNAiY71c0YOOb2aEbMjH+09fGi6IcP5dn9fC10fk8mbxClpQdo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762509954; c=relaxed/simple; bh=h9z28y0YXaSoCRfDL4rjhIPmp6uSb1t7HivBNV4Rchg=; h=From:In-Reply-To:References:Cc:Subject:MIME-Version:Content-Type: Date:Message-ID; b=WgFisSo1cbHLva3vcCq/+a7tNx8wZpONDnOeTQqJGr5T+fk8tzADRUWUVIAeevR/tO/LDAxp4YxNpdakjQZ6n+Tn8n28Hdp9taufmnxmimiMwmAPQCQneEpN9Jf8Bzo1BXg8DPRsAj9euisUiq0U6rDvDnEMRSauYMC+zdi/ayg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ZNCxecBp; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ZNCxecBp" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762509951; h=from:from:reply-to:subject:subject:date:date:message-id:message-id:to: cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d2iFp6mDvWDTtLkd9rZC+JAkBE2LytPdd3avlx4HUqs=; b=ZNCxecBpRIODptnFkO4iDkTTOckNYW4sdJ4iow+dWnvyPJHMR+0I78ZmhvSGgzmsZPNYwo DAOeUEALJRjerl77g0VasGdHBRASFXuiaWlDRyRgpkM5yUuvVZq+FrkebDQ0tTpeSb5/9F DtG8MQRrwXYSBzH+asL/dYEcwZXc/Sg= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-153-oQPbeBJIMvKWtug6NngSPQ-1; Fri, 07 Nov 2025 05:05:48 -0500 X-MC-Unique: oQPbeBJIMvKWtug6NngSPQ-1 X-Mimecast-MFC-AGG-ID: oQPbeBJIMvKWtug6NngSPQ_1762509946 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 821D01956094; Fri, 7 Nov 2025 10:05:45 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.42.28.6]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 4E7A11945110; Fri, 7 Nov 2025 10:05:40 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <20251106174456.31818-1-dhowells@redhat.com> References: <20251106174456.31818-1-dhowells@redhat.com> Cc: dhowells@redhat.com, Herbert Xu , Eric Biggers , Luis Chamberlain , Petr Pavlu , Daniel Gomez , Sami Tolvanen , "Jason A . Donenfeld" , Ard Biesheuvel , Stephan Mueller , Lukas Wunner , Ignat Korchagin , linux-crypto@vger.kernel.org, keyrings@vger.kernel.org, linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v7 8/8] modsign: Enable ML-DSA module signing Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-ID: <61636.1762509938.1@warthog.procyon.org.uk> Content-Transfer-Encoding: quoted-printable Date: Fri, 07 Nov 2025 10:05:38 +0000 Message-ID: <61637.1762509938@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" =20 Allow ML-DSA module signing to be enabled. Note that openssl's CMS_*() function suite does not, as of openssl-3.5.1, support the use of CMS_NOATTR with ML-DSA, so the prohibition against using authenticatedAttributes with module signing has to be removed. The selected digest then applies only to the algorithm used to calculate the digest stored in the messageDigest attribute. The ML-DSA algorithm uses its own internal choice of digest (SHAKE256) without regard to what's specified in the CMS message. This is, in theory, configurable, but there's currently no hook in the crypto_sig API to do that, though possibly it could be done by parameterising the name of the algorithm, e.g. ("ml-dsa87(sha512)"). Signed-off-by: David Howells cc: Lukas Wunner cc: Ignat Korchagin cc: Stephan Mueller cc: Eric Biggers cc: Herbert Xu cc: keyrings@vger.kernel.org cc: linux-crypto@vger.kernel.org --- Documentation/admin-guide/module-signing.rst | 15 ++++++++------- certs/Kconfig | 24 ++++++++++++++++++++++= ++ certs/Makefile | 3 +++ crypto/asymmetric_keys/pkcs7_verify.c | 4 ---- kernel/module/Kconfig | 5 +++++ scripts/sign-file.c | 26 ++++++++++++++++++----= ---- 6 files changed, 58 insertions(+), 19 deletions(-) diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/a= dmin-guide/module-signing.rst index a8667a777490..6daff80c277b 100644 --- a/Documentation/admin-guide/module-signing.rst +++ b/Documentation/admin-guide/module-signing.rst @@ -28,10 +28,11 @@ trusted userspace bits. =20 This facility uses X.509 ITU-T standard certificates to encode the public = keys involved. The signatures are not themselves encoded in any industrial sta= ndard -type. The built-in facility currently only supports the RSA & NIST P-384 = ECDSA -public key signing standard (though it is pluggable and permits others to = be -used). The possible hash algorithms that can be used are SHA-2 and SHA-3 = of -sizes 256, 384, and 512 (the algorithm is selected by data in the signatur= e). +type. The built-in facility currently only supports the RSA, NIST P-384 E= CDSA +and NIST FIPS-204 ML-DSA (Dilithium) public key signing standards (though = it is +pluggable and permits others to be used). For RSA and ECDSA, the possible= hash +algorithms that can be used are SHA-2 and SHA-3 of sizes 256, 384, and 512= (the +algorithm is selected by data in the signature); ML-DSA uses SHAKE256. =20 =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D @@ -146,9 +147,9 @@ into vmlinux) using parameters in the:: =20 file (which is also generated if it does not already exist). =20 -One can select between RSA (``MODULE_SIG_KEY_TYPE_RSA``) and ECDSA -(``MODULE_SIG_KEY_TYPE_ECDSA``) to generate either RSA 4k or NIST -P-384 keypair. +One can select between RSA (``MODULE_SIG_KEY_TYPE_RSA``), ECDSA +(``MODULE_SIG_KEY_TYPE_ECDSA``) and ML-DSA (``MODULE_SIG_KEY_TYPE_ML_DSA``= ) to +generate an RSA 4k, a NIST P-384 keypair or an ML-DSA keypair. =20 It is strongly recommended that you provide your own x509.genkey file. =20 diff --git a/certs/Kconfig b/certs/Kconfig index 78307dc25559..f647b944f5da 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -39,6 +39,30 @@ config MODULE_SIG_KEY_TYPE_ECDSA Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem, when falling back to building Linux 5.14 and older kernels. =20 +config MODULE_SIG_KEY_TYPE_ML_DSA_44 + bool "ML-DSA (Dilithium) 44" + select CRYPTO_ML_DSA + select LIB_SHA3 + help + Use an ML-DSA (Dilithium) 44 key (NIST FIPS 204) for module signing + with a SHAKE256 'hash' of the message. + +config MODULE_SIG_KEY_TYPE_ML_DSA_65 + bool "ML-DSA (Dilithium) 65" + select CRYPTO_ML_DSA + select LIB_SHA3 + help + Use an ML-DSA (Dilithium) 65 key (NIST FIPS 204) for module signing + with a SHAKE256 'hash' of the message. + +config MODULE_SIG_KEY_TYPE_ML_DSA_87 + bool "ML-DSA (Dilithium) 87" + select CRYPTO_ML_DSA + select LIB_SHA3 + help + Use an ML-DSA (Dilithium) 87 key (NIST FIPS 204) for module signing + with a SHAKE256 'hash' of the message. + endchoice =20 config SYSTEM_TRUSTED_KEYRING diff --git a/certs/Makefile b/certs/Makefile index f6fa4d8d75e0..231379c91b86 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -43,6 +43,9 @@ targets +=3D x509_certificate_list ifeq ($(CONFIG_MODULE_SIG_KEY),certs/signing_key.pem) =20 keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ECDSA) :=3D -newkey ec -pkeyopt ec_pa= ramgen_curve:secp384r1 +keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ML_DSA_44) :=3D -newkey ml-dsa-44 +keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ML_DSA_65) :=3D -newkey ml-dsa-65 +keytype-$(CONFIG_MODULE_SIG_KEY_TYPE_ML_DSA_87) :=3D -newkey ml-dsa-87 =20 quiet_cmd_gen_key =3D GENKEY $@ cmd_gen_key =3D openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_H= ASH) -days 36500 \ diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys= /pkcs7_verify.c index 0f9f515b784d..f7ea1d41771d 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -424,10 +424,6 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, pr_warn("Invalid module sig (not pkcs7-data)\n"); return -EKEYREJECTED; } - if (pkcs7->have_authattrs) { - pr_warn("Invalid module sig (has authattrs)\n"); - return -EKEYREJECTED; - } break; case VERIFYING_FIRMWARE_SIGNATURE: if (pkcs7->data_type !=3D OID_data) { diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index 2a1beebf1d37..4b5d1601d537 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -327,6 +327,10 @@ config MODULE_SIG_SHA3_512 bool "SHA3-512" select CRYPTO_SHA3 =20 +config MODULE_SIG_SHAKE256 + bool "SHAKE256" + select CRYPTO_SHA3 + endchoice =20 config MODULE_SIG_HASH @@ -339,6 +343,7 @@ config MODULE_SIG_HASH default "sha3-256" if MODULE_SIG_SHA3_256 default "sha3-384" if MODULE_SIG_SHA3_384 default "sha3-512" if MODULE_SIG_SHA3_512 + default "shake256" if MODULE_SIG_SHAKE256 =20 config MODULE_COMPRESS bool "Module compression" diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 7070245edfc1..b726581075f9 100644 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -315,18 +315,28 @@ int main(int argc, char **argv) ERR(!digest_algo, "EVP_get_digestbyname"); =20 #ifndef USE_PKCS7 + + unsigned int flags =3D + CMS_NOCERTS | + CMS_PARTIAL | + CMS_BINARY | + CMS_DETACHED | + CMS_STREAM | + CMS_NOSMIMECAP | + CMS_NO_SIGNING_TIME | + use_keyid; + if (!EVP_PKEY_is_a(private_key, "ML-DSA-44") && + !EVP_PKEY_is_a(private_key, "ML-DSA-65") && + !EVP_PKEY_is_a(private_key, "ML-DSA-87")) + flags |=3D use_signed_attrs; + /* Load the signature message from the digest buffer. */ - cms =3D CMS_sign(NULL, NULL, NULL, NULL, - CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | - CMS_DETACHED | CMS_STREAM); + cms =3D CMS_sign(NULL, NULL, NULL, NULL, flags); ERR(!cms, "CMS_sign"); =20 - ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, - CMS_NOCERTS | CMS_BINARY | - CMS_NOSMIMECAP | use_keyid | - use_signed_attrs), + ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, flags), "CMS_add1_signer"); - ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) !=3D 1, + ERR(CMS_final(cms, bm, NULL, flags) !=3D 1, "CMS_final"); =20 #else