Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp289643pxf; Wed, 24 Mar 2021 05:21:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwxq/AtxhoUvwbeuIElTJ4T1UG9OJZUi3kwtVFnP/0W6A8tlXVjJfXivVNxr5tuWBe5e9m3 X-Received: by 2002:a17:907:3e9e:: with SMTP id hs30mr3454558ejc.66.1616588484148; Wed, 24 Mar 2021 05:21:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616588484; cv=none; d=google.com; s=arc-20160816; b=v/QfNQMc9FPoLgJXvS8Q6KHyRBiF1zH7l4mDdDVK9vfUxnBMLjWZnfZD8t7rKUJhiB HmVgWcmtWhlYPeP5wUqOR7P3Lb9LoVl2eQ0mHZg9yjyEJHJ7yNua9z0z2G+mQhvNlLzy lFD5FYnweocyd7HN1FsEAnf32SOSyyp2qk1g0hasOsETTnkTP0wOdxMzxOlp8Nk7pqWU EI8+hadcgSddmHcJ2MSsgUoLDxAtutMvQvHonSRZJYUeV1CuAG1bgX6IbMHcDU1aTXNh vjJIZYlnlDesPzVgHppBgOqP1SF1ElLBCYdzNAYIH3f4m7lmCqn6Z8n2DnLfsNu+W7qM b9Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=z7YY3MR2ECCzbpVadGPwU1Xr6j0NkSD9SNuNFeS0A/g=; b=aZW2x9Ab9H3Zp6UvjcZemmn0dr9YKJg6c/pFqbl4Q3AhsPz0oftNaQcIA/IDzvTkQh cQwnYsgHqmY1hA3aBWs9rH6Wa7wGCHe3C/+0AgeE9Rd53GQeMQebldfcCL0Mzamsqbnn c6LKaCWgkicsX2ybco9QubyNVIjSvBIVibeIbe5hxSAT4PEoRszRQKhrA9KNYJuR71+n 0SwkNSWqhX4D9o95/x90CbLlLwyFjZrt0Rv1mUl4MMrfwenjxK3L3nhiaqvKEWCa7mA/ VNpsfta4KBL1R7ZjfaU0fmwUAYSsU8MQYLGHz8VQ7ne2jV/zKF10itRfrc+jRm8p03R2 L/GQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r17si1609390edp.301.2021.03.24.05.20.48; Wed, 24 Mar 2021 05:21:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233113AbhCXMPk (ORCPT + 99 others); Wed, 24 Mar 2021 08:15:40 -0400 Received: from out30-56.freemail.mail.aliyun.com ([115.124.30.56]:44713 "EHLO out30-56.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232529AbhCXMPa (ORCPT ); Wed, 24 Mar 2021 08:15:30 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R151e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04395;MF=tianjia.zhang@linux.alibaba.com;NM=1;PH=DS;RN=21;SR=0;TI=SMTPD_---0UTAQEfH_1616588125; Received: from localhost(mailfrom:tianjia.zhang@linux.alibaba.com fp:SMTPD_---0UTAQEfH_1616588125) by smtp.aliyun-inc.com(127.0.0.1); Wed, 24 Mar 2021 20:15:25 +0800 From: Tianjia Zhang To: David Howells , Herbert Xu , "David S. Miller" , David Woodhouse , Jonathan Corbet , Masahiro Yamada , Andrew Morton , Nathan Chancellor , Kees Cook , Nick Desaulniers , Valentin Schneider , Nick Terrell , KP Singh , Johannes Weiner , Vlastimil Babka , keyrings@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, Jia Zhang Cc: Tianjia Zhang Subject: [PATCH v2 0/2] support sign module with SM2-with-SM3 algorithm Date: Wed, 24 Mar 2021 20:15:23 +0800 Message-Id: <20210324121525.16062-1-tianjia.zhang@linux.alibaba.com> X-Mailer: git-send-email 2.19.1.3.ge56e4f7 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The kernel module signature supports the option to use the SM3 secure hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs. The former is used for signing and the latter is used for hash calculation. To sign a kernel module, first, prepare openssl 3.0.0 alpha6 and a configuration file openssl.cnf with the following content: [ req ] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = v3_req [ req_distinguished_name ] C = CN ST = HangZhou L = foo O = Test OU = Test CN = Test key emailAddress = test@foo.com [ v3_req ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always Then we can use the following method to sign module with SM2-with-SM3 algorithm combination: # generate CA key and self-signed CA certificate openssl ecparam -genkey -name SM2 -text -out ca.key openssl req -new -x509 -days 3650 -key ca.key \ -sm3 -sigopt "distid:1234567812345678" \ -subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=ca@foo.com" \ -config openssl.cnf -out ca.crt # generate SM2 private key and sign request openssl ecparam -genkey -name SM2 -text -out private.pem openssl req -new -key private.pem -config openssl.cnf \ -sm3 -sigopt "distid:1234567812345678" -out csr.pem # generate SM2-with-SM3 certificate signed by CA openssl x509 -req -days 3650 -sm3 -in csr.pem \ -sigopt "distid:1234567812345678" \ -vfyopt "distid:1234567812345678" \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile openssl.cnf -extensions v3_req \ -out cert.pem # sign module with SM2-with-SM3 algorithm sign-file sm3 private.pem cert.pem test.ko test.ko.signed At this point, we should built the CA certificate into the kernel, and then we can load the SM2-with-SM3 signed module normally. --- v2 change: - split one patch into twos. - richer commit log. Tianjia Zhang (2): pkcs7: make parser enable SM2 and SM3 algorithms combination init/Kconfig: support sign module with SM2-with-SM3 algorithm Documentation/admin-guide/module-signing.rst | 5 +++-- crypto/asymmetric_keys/pkcs7_parser.c | 7 +++++++ init/Kconfig | 5 +++++ 3 files changed, 15 insertions(+), 2 deletions(-) -- 2.19.1.3.ge56e4f7