| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aef1e8b9-c378-9f2e-881c-b81c4ecad028@linux.alibaba.com>
Date: Wed, 7 Apr 2021 11:29:20 +0800
From: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
To: David Howells <dhowells@...hat.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
David Woodhouse <dwmw2@...radead.org>,
Jonathan Corbet <corbet@....net>,
Masahiro Yamada <masahiroy@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Nathan Chancellor <nathan@...nel.org>,
Kees Cook <keescook@...omium.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Valentin Schneider <valentin.schneider@....com>,
Nick Terrell <terrelln@...com>, KP Singh <kpsingh@...gle.com>,
Johannes Weiner <hannes@...xchg.org>,
Vlastimil Babka <vbabka@...e.cz>, keyrings@...r.kernel.org,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org,
Jia Zhang <zhang.jia@...ux.alibaba.com>
Subject: Re: [PATCH v2 0/2] support sign module with SM2-with-SM3 algorithm
ping.
Thanks,
Tianjia
On 3/24/21 8:15 PM, Tianjia Zhang wrote:
> The kernel module signature supports the option to use the SM3 secure
> hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs.
> The former is used for signing and the latter is used for hash
> calculation.
>
> To sign a kernel module, first, prepare openssl 3.0.0 alpha6 and a
> configuration file openssl.cnf with the following content:
>
> [ req ]
> default_bits = 2048
> distinguished_name = req_distinguished_name
> prompt = no
> string_mask = utf8only
> x509_extensions = v3_req
>
> [ req_distinguished_name ]
> C = CN
> ST = HangZhou
> L = foo
> O = Test
> OU = Test
> CN = Test key
> emailAddress = test@....com
>
> [ v3_req ]
> basicConstraints=critical,CA:FALSE
> keyUsage=digitalSignature
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid:always
>
> Then we can use the following method to sign module with SM2-with-SM3
> algorithm combination:
>
> # generate CA key and self-signed CA certificate
> openssl ecparam -genkey -name SM2 -text -out ca.key
> openssl req -new -x509 -days 3650 -key ca.key \
> -sm3 -sigopt "distid:1234567812345678" \
> -subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=ca@....com" \
> -config openssl.cnf -out ca.crt
>
> # generate SM2 private key and sign request
> openssl ecparam -genkey -name SM2 -text -out private.pem
> openssl req -new -key private.pem -config openssl.cnf \
> -sm3 -sigopt "distid:1234567812345678" -out csr.pem
>
> # generate SM2-with-SM3 certificate signed by CA
> openssl x509 -req -days 3650 -sm3 -in csr.pem \
> -sigopt "distid:1234567812345678" \
> -vfyopt "distid:1234567812345678" \
> -CA ca.crt -CAkey ca.key -CAcreateserial \
> -extfile openssl.cnf -extensions v3_req \
> -out cert.pem
>
> # sign module with SM2-with-SM3 algorithm
> sign-file sm3 private.pem cert.pem test.ko test.ko.signed
>
> At this point, we should built the CA certificate into the kernel, and
> then we can load the SM2-with-SM3 signed module normally.
>
> ---
> v2 change:
> - split one patch into twos.
> - richer commit log.
>
> Tianjia Zhang (2):
> pkcs7: make parser enable SM2 and SM3 algorithms combination
> init/Kconfig: support sign module with SM2-with-SM3 algorithm
>
> Documentation/admin-guide/module-signing.rst | 5 +++--
> crypto/asymmetric_keys/pkcs7_parser.c | 7 +++++++
> init/Kconfig | 5 +++++
> 3 files changed, 15 insertions(+), 2 deletions(-)
>
Powered by blists - more mailing lists