| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Mar 2021 20:15:23 +0800
From: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
To: David Howells <dhowells@...hat.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
David Woodhouse <dwmw2@...radead.org>,
Jonathan Corbet <corbet@....net>,
Masahiro Yamada <masahiroy@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Nathan Chancellor <nathan@...nel.org>,
Kees Cook <keescook@...omium.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Valentin Schneider <valentin.schneider@....com>,
Nick Terrell <terrelln@...com>, KP Singh <kpsingh@...gle.com>,
Johannes Weiner <hannes@...xchg.org>,
Vlastimil Babka <vbabka@...e.cz>, keyrings@...r.kernel.org,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org,
Jia Zhang <zhang.jia@...ux.alibaba.com>
Cc: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
Subject: [PATCH v2 0/2] support sign module with SM2-with-SM3 algorithm
The kernel module signature supports the option to use the SM3 secure
hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs.
The former is used for signing and the latter is used for hash
calculation.
To sign a kernel module, first, prepare openssl 3.0.0 alpha6 and a
configuration file openssl.cnf with the following content:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_req
[ req_distinguished_name ]
C = CN
ST = HangZhou
L = foo
O = Test
OU = Test
CN = Test key
emailAddress = test@....com
[ v3_req ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
Then we can use the following method to sign module with SM2-with-SM3
algorithm combination:
# generate CA key and self-signed CA certificate
openssl ecparam -genkey -name SM2 -text -out ca.key
openssl req -new -x509 -days 3650 -key ca.key \
-sm3 -sigopt "distid:1234567812345678" \
-subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=ca@....com" \
-config openssl.cnf -out ca.crt
# generate SM2 private key and sign request
openssl ecparam -genkey -name SM2 -text -out private.pem
openssl req -new -key private.pem -config openssl.cnf \
-sm3 -sigopt "distid:1234567812345678" -out csr.pem
# generate SM2-with-SM3 certificate signed by CA
openssl x509 -req -days 3650 -sm3 -in csr.pem \
-sigopt "distid:1234567812345678" \
-vfyopt "distid:1234567812345678" \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile openssl.cnf -extensions v3_req \
-out cert.pem
# sign module with SM2-with-SM3 algorithm
sign-file sm3 private.pem cert.pem test.ko test.ko.signed
At this point, we should built the CA certificate into the kernel, and
then we can load the SM2-with-SM3 signed module normally.
---
v2 change:
- split one patch into twos.
- richer commit log.
Tianjia Zhang (2):
pkcs7: make parser enable SM2 and SM3 algorithms combination
init/Kconfig: support sign module with SM2-with-SM3 algorithm
Documentation/admin-guide/module-signing.rst | 5 +++--
crypto/asymmetric_keys/pkcs7_parser.c | 7 +++++++
init/Kconfig | 5 +++++
3 files changed, 15 insertions(+), 2 deletions(-)
--
2.19.1.3.ge56e4f7
Powered by blists - more mailing lists