lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aW-9b0JO_FX3P__b@kernel.org>
Date: Tue, 20 Jan 2026 19:37:51 +0200
From: Jarkko Sakkinen <jarkko@...nel.org>
To: David Howells <dhowells@...hat.com>
Cc: Lukas Wunner <lukas@...ner.de>, Ignat Korchagin <ignat@...udflare.com>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Eric Biggers <ebiggers@...nel.org>,
	Luis Chamberlain <mcgrof@...nel.org>,
	Petr Pavlu <petr.pavlu@...e.com>,
	Daniel Gomez <da.gomez@...nel.org>,
	Sami Tolvanen <samitolvanen@...gle.com>,
	"Jason A . Donenfeld" <Jason@...c4.com>,
	Ard Biesheuvel <ardb@...nel.org>,
	Stephan Mueller <smueller@...onox.de>, linux-crypto@...r.kernel.org,
	keyrings@...r.kernel.org, linux-modules@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v13 01/12] crypto: Add ML-DSA crypto_sig support

On Tue, Jan 20, 2026 at 02:50:47PM +0000, David Howells wrote:
> Add verify-only public key crypto support for ML-DSA so that the
> X.509/PKCS#7 signature verification code, as used by module signing,
> amongst other things, can make use of it through the common crypto_sig API.
> 
> Signed-off-by: David Howells <dhowells@...hat.com>
> cc: Eric Biggers <ebiggers@...nel.org>
> cc: Lukas Wunner <lukas@...ner.de>
> cc: Ignat Korchagin <ignat@...udflare.com>
> cc: Stephan Mueller <smueller@...onox.de>
> cc: Herbert Xu <herbert@...dor.apana.org.au>
> cc: keyrings@...r.kernel.org
> cc: linux-crypto@...r.kernel.org
> ---
>  crypto/Kconfig  |  10 +++
>  crypto/Makefile |   2 +
>  crypto/mldsa.c  | 201 ++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 213 insertions(+)
>  create mode 100644 crypto/mldsa.c
> 
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index 12a87f7cf150..8dd5c6660c5a 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -344,6 +344,16 @@ config CRYPTO_ECRDSA
>  	  One of the Russian cryptographic standard algorithms (called GOST
>  	  algorithms). Only signature verification is implemented.
>  
> +config CRYPTO_MLDSA
> +	tristate "ML-DSA (Module-Lattice-Based Digital Signature Algorithm)"
> +	select CRYPTO_SIG
> +	select CRYPTO_LIB_MLDSA
> +	select CRYPTO_LIB_SHA3
> +	help
> +	  ML-DSA (Module-Lattice-Based Digital Signature Algorithm) (FIPS-204).
> +
> +	  Only signature verification is implemented.
> +
>  endmenu
>  
>  menu "Block ciphers"
> diff --git a/crypto/Makefile b/crypto/Makefile
> index 23d3db7be425..267d5403045b 100644
> --- a/crypto/Makefile
> +++ b/crypto/Makefile
> @@ -60,6 +60,8 @@ ecdsa_generic-y += ecdsa-p1363.o
>  ecdsa_generic-y += ecdsasignature.asn1.o
>  obj-$(CONFIG_CRYPTO_ECDSA) += ecdsa_generic.o
>  
> +obj-$(CONFIG_CRYPTO_MLDSA) += mldsa.o
> +
>  crypto_acompress-y := acompress.o
>  crypto_acompress-y += scompress.o
>  obj-$(CONFIG_CRYPTO_ACOMP2) += crypto_acompress.o
> diff --git a/crypto/mldsa.c b/crypto/mldsa.c
> new file mode 100644
> index 000000000000..2146c774b5ca
> --- /dev/null
> +++ b/crypto/mldsa.c
> @@ -0,0 +1,201 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * crypto_sig wrapper around ML-DSA library.
> + */
> +#include <linux/init.h>
> +#include <linux/module.h>
> +#include <crypto/internal/sig.h>
> +#include <crypto/mldsa.h>
> +
> +struct crypto_mldsa_ctx {
> +	u8 pk[MAX(MAX(MLDSA44_PUBLIC_KEY_SIZE,
> +		      MLDSA65_PUBLIC_KEY_SIZE),
> +		  MLDSA87_PUBLIC_KEY_SIZE)];
> +	unsigned int pk_len;
> +	enum mldsa_alg strength;
> +	u8 key_set;
> +};
> +
> +static int crypto_mldsa_sign(struct crypto_sig *tfm,
> +			     const void *msg, unsigned int msg_len,
> +			     void *sig, unsigned int sig_len)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static int crypto_mldsa_verify(struct crypto_sig *tfm,
> +			       const void *sig, unsigned int sig_len,
> +			       const void *msg, unsigned int msg_len)
> +{
> +	const struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> +	if (unlikely(!ctx->key_set))
> +		return -EINVAL;
> +
> +	return mldsa_verify(ctx->strength, sig, sig_len, msg, msg_len,
> +			    ctx->pk, ctx->pk_len);
> +}
> +
> +static unsigned int crypto_mldsa_key_size(struct crypto_sig *tfm)
> +{
> +	struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> +	switch (ctx->strength) {
> +	case MLDSA44:
> +		return MLDSA44_PUBLIC_KEY_SIZE;
> +	case MLDSA65:
> +		return MLDSA65_PUBLIC_KEY_SIZE;
> +	case MLDSA87:
> +		return MLDSA87_PUBLIC_KEY_SIZE;
> +	default:
> +		WARN_ON_ONCE(1);
> +		return 0;
> +	}
> +}
> +
> +static int crypto_mldsa_set_pub_key(struct crypto_sig *tfm,
> +				    const void *key, unsigned int keylen)
> +{
> +	struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +	unsigned int expected_len = crypto_mldsa_key_size(tfm);
> +
> +	if (keylen != expected_len)
> +		return -EINVAL;
> +
> +	ctx->pk_len = keylen;
> +	memcpy(ctx->pk, key, keylen);
> +	ctx->key_set = true;
> +	return 0;
> +}
> +
> +static int crypto_mldsa_set_priv_key(struct crypto_sig *tfm,
> +				     const void *key, unsigned int keylen)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +static unsigned int crypto_mldsa_max_size(struct crypto_sig *tfm)
> +{
> +	struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> +	switch (ctx->strength) {
> +	case MLDSA44:
> +		return MLDSA44_SIGNATURE_SIZE;
> +	case MLDSA65:
> +		return MLDSA65_SIGNATURE_SIZE;
> +	case MLDSA87:
> +		return MLDSA87_SIGNATURE_SIZE;
> +	default:
> +		WARN_ON_ONCE(1);
> +		return 0;
> +	}
> +}
> +
> +static int crypto_mldsa44_alg_init(struct crypto_sig *tfm)
> +{
> +	struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> +	ctx->strength = MLDSA44;
> +	ctx->key_set = false;
> +	return 0;
> +}
> +
> +static int crypto_mldsa65_alg_init(struct crypto_sig *tfm)
> +{
> +	struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> +	ctx->strength = MLDSA65;
> +	ctx->key_set = false;
> +	return 0;
> +}
> +
> +static int crypto_mldsa87_alg_init(struct crypto_sig *tfm)
> +{
> +	struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> +	ctx->strength = MLDSA87;
> +	ctx->key_set = false;
> +	return 0;
> +}
> +
> +static void crypto_mldsa_alg_exit(struct crypto_sig *tfm)
> +{
> +}
> +
> +static struct sig_alg crypto_mldsa_algs[] = {
> +	{
> +		.sign			= crypto_mldsa_sign,
> +		.verify			= crypto_mldsa_verify,
> +		.set_pub_key		= crypto_mldsa_set_pub_key,
> +		.set_priv_key		= crypto_mldsa_set_priv_key,
> +		.key_size		= crypto_mldsa_key_size,
> +		.max_size		= crypto_mldsa_max_size,
> +		.init			= crypto_mldsa44_alg_init,
> +		.exit			= crypto_mldsa_alg_exit,
> +		.base.cra_name		= "mldsa44",
> +		.base.cra_driver_name	= "mldsa44-lib",
> +		.base.cra_ctxsize	= sizeof(struct crypto_mldsa_ctx),
> +		.base.cra_module	= THIS_MODULE,
> +		.base.cra_priority	= 5000,
> +	}, {
> +		.sign			= crypto_mldsa_sign,
> +		.verify			= crypto_mldsa_verify,
> +		.set_pub_key		= crypto_mldsa_set_pub_key,
> +		.set_priv_key		= crypto_mldsa_set_priv_key,
> +		.key_size		= crypto_mldsa_key_size,
> +		.max_size		= crypto_mldsa_max_size,
> +		.init			= crypto_mldsa65_alg_init,
> +		.exit			= crypto_mldsa_alg_exit,
> +		.base.cra_name		= "mldsa65",
> +		.base.cra_driver_name	= "mldsa65-lib",
> +		.base.cra_ctxsize	= sizeof(struct crypto_mldsa_ctx),
> +		.base.cra_module	= THIS_MODULE,
> +		.base.cra_priority	= 5000,
> +	}, {
> +		.sign			= crypto_mldsa_sign,
> +		.verify			= crypto_mldsa_verify,
> +		.set_pub_key		= crypto_mldsa_set_pub_key,
> +		.set_priv_key		= crypto_mldsa_set_priv_key,
> +		.key_size		= crypto_mldsa_key_size,
> +		.max_size		= crypto_mldsa_max_size,
> +		.init			= crypto_mldsa87_alg_init,
> +		.exit			= crypto_mldsa_alg_exit,
> +		.base.cra_name		= "mldsa87",
> +		.base.cra_driver_name	= "mldsa87-lib",
> +		.base.cra_ctxsize	= sizeof(struct crypto_mldsa_ctx),
> +		.base.cra_module	= THIS_MODULE,
> +		.base.cra_priority	= 5000,
> +	},
> +};
> +
> +static int __init mldsa_init(void)
> +{
> +	int ret, i;
> +
> +	for (i = 0; i < ARRAY_SIZE(crypto_mldsa_algs); i++) {
> +		ret = crypto_register_sig(&crypto_mldsa_algs[i]);
> +		if (ret < 0)
> +			goto error;
> +	}
> +	return 0;
> +
> +error:
> +	pr_err("Failed to register (%d)\n", ret);
> +	for (i--; i >= 0; i--)
> +		crypto_unregister_sig(&crypto_mldsa_algs[i]);
> +	return ret;
> +}
> +module_init(mldsa_init);
> +
> +static void mldsa_exit(void)
> +{
> +	for (int i = 0; i < ARRAY_SIZE(crypto_mldsa_algs); i++)
> +		crypto_unregister_sig(&crypto_mldsa_algs[i]);
> +}
> +module_exit(mldsa_exit);
> +
> +MODULE_LICENSE("GPL");
> +MODULE_DESCRIPTION("Crypto API support for ML-DSA signature verification");
> +MODULE_ALIAS_CRYPTO("mldsa44");
> +MODULE_ALIAS_CRYPTO("mldsa65");
> +MODULE_ALIAS_CRYPTO("mldsa87");
> 

Went through it, not much else to say, as it just binds the callbacks:

Reviewed-by: Jarkko Sakkinen <jarkko@...nel.org>

BR, Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ