[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZTuXlGsYsmvO6v+M@gondor.apana.org.au>
Date: Fri, 27 Oct 2023 18:57:24 +0800
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Dimitri John Ledkov <dimitri.ledkov@...onical.com>
Cc: linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 0/6] crypto: pkcs7 x509 add FIPS 202 SHA-3 support
On Sun, Oct 22, 2023 at 07:22:02PM +0100, Dimitri John Ledkov wrote:
> Recent patches to cryptodev removed support for insecure, broken or
> weak x509/pkcs7 signing hashes MD4, MD5, SHA1, SHA-224. This opens
> room to add SHA-3 family of hashes, which are not yet broken.
>
> Add support for FIPS 202 SHA-3 in x509 RSA & ECC certs, pkcs7
> signatures, hash info structs. And adjust documentation.
>
> This enables using SHA-3 family of hashes for kernel module signing.
>
> For SHA3+ECC signing openssl with this patch [0] is needed, currently
> in openssl development tip. SHA3+RSA signing is supported by stable
> openssl.
>
> kmod needs a patch to recognise SHA3 hash names [1], submitted
> separately.
>
> This patch series is on top of tip of cryptodev git repository commit
> a2786e8bdd ("crypto: qcom-rng - Add missing dependency on hw_random")
>
> [0] https://github.com/openssl/openssl/pull/22147/files
> [1] https://lore.kernel.org/all/20231022180928.180437-1-dimitri.ledkov@canonical.com/
>
> Dimitri John Ledkov (6):
> x509: Add OIDs for FIPS 202 SHA-3 hash and signatures
> crypto: FIPS 202 SHA-3 register in hash info for IMA
> crypto: rsa-pkcs1pad - Add FIPS 202 SHA-3 support
> crypto: x509 pkcs7 - allow FIPS 202 SHA-3 signatures
> crypto: enable automatic module signing with FIPS 202 SHA-3
> Documentation/module-signing.txt: bring up to date
>
> Documentation/admin-guide/module-signing.rst | 17 ++++++++-----
> certs/Kconfig | 2 +-
> crypto/asymmetric_keys/mscode_parser.c | 9 +++++++
> crypto/asymmetric_keys/pkcs7_parser.c | 12 ++++++++++
> crypto/asymmetric_keys/public_key.c | 5 +++-
> crypto/asymmetric_keys/x509_cert_parser.c | 24 +++++++++++++++++++
> crypto/hash_info.c | 6 +++++
> crypto/rsa-pkcs1pad.c | 25 +++++++++++++++++++-
> crypto/testmgr.c | 12 ++++++++++
> include/crypto/hash_info.h | 1 +
> include/linux/oid_registry.h | 11 +++++++++
> include/uapi/linux/hash_info.h | 3 +++
> kernel/module/Kconfig | 15 ++++++++++++
> 13 files changed, 133 insertions(+), 9 deletions(-)
>
> --
> 2.34.1
All applied. Thanks.
--
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists