Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp289794pxf; Wed, 24 Mar 2021 05:21:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJydhE5u3joA3WfmI2aVB5Cmy4u8nO60AOCc3krDBFct9dzh1TGKkulFG1X84nNWWn0riG1H X-Received: by 2002:a05:6402:518d:: with SMTP id q13mr3100925edd.313.1616588496669; Wed, 24 Mar 2021 05:21:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616588496; cv=none; d=google.com; s=arc-20160816; b=esoKV6A0ApE4jfbe7ggK516Nc83ASOKNuzebOAF4KQ4aVg0Pu7K40Qw57LITCnv1tj bI68MXD5Iez7v9gP5fynkGIJp2ibSjeV2ieUwToo4MzC8DhJTliKKVKI5lmHe1GFJOag A78V84FuGZv6PJCTYcxc+JigzgSYKz15RsiHGQs+fZWmSouub2w1aBp7Ggt7iR2mVbd8 QrWAGZvjmPAXK7xKEwkWYAnacQ5hdEX2VV++CvqkXpHDx9w9iAQPSQ1/LUrD6KH0PpIu b0UAMWec3m+kcelyPjqbU7D79s21pdysJ+67/EdiTrEDRJOR7+OxZtLlO+4XvFBOPcE7 CoGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=zsOb8+D6xXOOmlKTQAoekihEk7+fI1l2mKs9Bxgs0Eo=; b=lPogaiW3IZT2x6EO+9ljhkazGfCYLIEqzmBMaku92ylcwutBCMe3nB9uOPyZoa1tmE TuUkzcyxaun0kPPt7T0nU8JEpBfOstH8sAYzXpJok7slPI916FvUoYokdcPRr95qiQdM rVi1CeDRghzafybi6lXpQtd7N0skQmuZU1KaL5pnEkONYh/1RtLKWk4iTWKtb05hPRLD wJvjy+7WB2NXZ5FgUsgjPm47Wct9+lSG256JATAAuPZZkLcR9v1VqItOrz4Epxv9SFaB ZaIaRxr7MZkXk4qCRd63Gg+W8+QfOUBfdCr6edGjK/ymOdY0rTdcht8SH3a3JLxEe8/l ZP7Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hc17si1679726ejc.480.2021.03.24.05.21.09; Wed, 24 Mar 2021 05:21:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233299AbhCXMQM (ORCPT + 99 others); Wed, 24 Mar 2021 08:16:12 -0400 Received: from out30-54.freemail.mail.aliyun.com ([115.124.30.54]:38952 "EHLO out30-54.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233286AbhCXMQK (ORCPT ); Wed, 24 Mar 2021 08:16:10 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R761e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=alimailimapcm10staff010182156082;MF=tianjia.zhang@linux.alibaba.com;NM=1;PH=DS;RN=21;SR=0;TI=SMTPD_---0UTAwqDS_1616588126; Received: from localhost(mailfrom:tianjia.zhang@linux.alibaba.com fp:SMTPD_---0UTAwqDS_1616588126) by smtp.aliyun-inc.com(127.0.0.1); Wed, 24 Mar 2021 20:15:26 +0800 From: Tianjia Zhang To: David Howells , Herbert Xu , "David S. Miller" , David Woodhouse , Jonathan Corbet , Masahiro Yamada , Andrew Morton , Nathan Chancellor , Kees Cook , Nick Desaulniers , Valentin Schneider , Nick Terrell , KP Singh , Johannes Weiner , Vlastimil Babka , keyrings@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, Jia Zhang Cc: Tianjia Zhang Subject: [PATCH v2 2/2] init/Kconfig: support sign module with SM2-with-SM3 algorithm Date: Wed, 24 Mar 2021 20:15:25 +0800 Message-Id: <20210324121525.16062-3-tianjia.zhang@linux.alibaba.com> X-Mailer: git-send-email 2.19.1.3.ge56e4f7 In-Reply-To: <20210324121525.16062-1-tianjia.zhang@linux.alibaba.com> References: <20210324121525.16062-1-tianjia.zhang@linux.alibaba.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The kernel module signature supports the option to use the SM3 secure hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs. The former is used for signing and the latter is used for hash calculation. To sign a kernel module, first, prepare a configuration file openssl.cnf with the following content: [ req ] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = v3_req [ req_distinguished_name ] C = CN ST = HangZhou L = foo O = Test OU = Test CN = Test key emailAddress = test@foo.com [ v3_req ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always Then we can use the following method to sign module with SM2-with-SM3 algorithm combination: # generate CA key and self-signed CA certificate openssl ecparam -genkey -name SM2 -text -out ca.key openssl req -new -x509 -days 3650 -key ca.key \ -sm3 -sigopt "distid:1234567812345678" \ -subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=ca@foo.com" \ -config openssl.cnf -out ca.crt # generate SM2 private key and sign request openssl ecparam -genkey -name SM2 -text -out private.pem openssl req -new -key private.pem -config openssl.cnf \ -sm3 -sigopt "distid:1234567812345678" -out csr.pem # generate SM2-with-SM3 certificate signed by CA openssl x509 -req -days 3650 -sm3 -in csr.pem \ -sigopt "distid:1234567812345678" \ -vfyopt "distid:1234567812345678" \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile openssl.cnf -extensions v3_req \ -out cert.pem # sign module with SM2-with-SM3 algorithm sign-file sm3 private.pem cert.pem test.ko test.ko.signed At this point, we should built the CA certificate into the kernel, and then we can load the SM2-with-SM3 signed module normally. Signed-off-by: Tianjia Zhang --- Documentation/admin-guide/module-signing.rst | 5 +++-- init/Kconfig | 5 +++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst index 7d7c7c8a545c..8d8980808b5b 100644 --- a/Documentation/admin-guide/module-signing.rst +++ b/Documentation/admin-guide/module-signing.rst @@ -30,8 +30,8 @@ This facility uses X.509 ITU-T standard certificates to encode the public keys involved. The signatures are not themselves encoded in any industrial standard type. The facility currently only supports the RSA public key encryption standard (though it is pluggable and permits others to be used). The possible -hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, and -SHA-512 (the algorithm is selected by data in the signature). +hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, +and SM3 (the algorithm is selected by data in the signature). ========================== @@ -86,6 +86,7 @@ This has a number of options available: ``CONFIG_MODULE_SIG_SHA256`` :menuselection:`Sign modules with SHA-256` ``CONFIG_MODULE_SIG_SHA384`` :menuselection:`Sign modules with SHA-384` ``CONFIG_MODULE_SIG_SHA512`` :menuselection:`Sign modules with SHA-512` + ``CONFIG_MODULE_SIG_SM3`` :menuselection:`Sign modules with SM3` =============================== ========================================== The algorithm selected here will also be built into the kernel (rather diff --git a/init/Kconfig b/init/Kconfig index 5f5c776ef192..fed9236078e4 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -2202,6 +2202,10 @@ config MODULE_SIG_SHA512 bool "Sign modules with SHA-512" select CRYPTO_SHA512 +config MODULE_SIG_SM3 + bool "Sign modules with SM3" + select CRYPTO_SM3 + endchoice config MODULE_SIG_HASH @@ -2212,6 +2216,7 @@ config MODULE_SIG_HASH default "sha256" if MODULE_SIG_SHA256 default "sha384" if MODULE_SIG_SHA384 default "sha512" if MODULE_SIG_SHA512 + default "sm3" if MODULE_SIG_SM3 config MODULE_COMPRESS bool "Compress modules on installation" -- 2.19.1.3.ge56e4f7