[PATCH] init/Kconfig: Support sign module with SM3 hash algorithm

[PATCH] init/Kconfig: Support sign module with SM3 hash algorithm

[Tianjia Zhang]

The kernel module signature supports the option to use the SM3
secure hash (OSCCA GM/T 0004-2012 SM3).

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
 Documentation/admin-guide/module-signing.rst | 5 +++--
 crypto/asymmetric_keys/pkcs7_parser.c        | 7 +++++++
 init/Kconfig                                 | 5 +++++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
index 7d7c7c8a545c..8d8980808b5b 100644
--- a/Documentation/admin-guide/module-signing.rst
+++ b/Documentation/admin-guide/module-signing.rst
@@ -30,8 +30,8 @@ This facility uses X.509 ITU-T standard certificates to encode the public keys
 involved.  The signatures are not themselves encoded in any industrial standard
 type.  The facility currently only supports the RSA public key encryption
 standard (though it is pluggable and permits others to be used).  The possible
-hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, and
-SHA-512 (the algorithm is selected by data in the signature).
+hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,
+and SM3 (the algorithm is selected by data in the signature).
 
 
 ==========================
@@ -86,6 +86,7 @@ This has a number of options available:
 	``CONFIG_MODULE_SIG_SHA256``	:menuselection:`Sign modules with SHA-256`
 	``CONFIG_MODULE_SIG_SHA384``	:menuselection:`Sign modules with SHA-384`
 	``CONFIG_MODULE_SIG_SHA512``	:menuselection:`Sign modules with SHA-512`
+	``CONFIG_MODULE_SIG_SM3``	:menuselection:`Sign modules with SM3`
         =============================== ==========================================
 
      The algorithm selected here will also be built into the kernel (rather
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
index 967329e0a07b..6cf6c4552c11 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -248,6 +248,9 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
 	case OID_sha224:
 		ctx->sinfo->sig->hash_algo = "sha224";
 		break;
+	case OID_sm3:
+		ctx->sinfo->sig->hash_algo = "sm3";
+		break;
 	default:
 		printk("Unsupported digest algo: %u\n", ctx->last_oid);
 		return -ENOPKG;
@@ -269,6 +272,10 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
 		ctx->sinfo->sig->pkey_algo = "rsa";
 		ctx->sinfo->sig->encoding = "pkcs1";
 		break;
+	case OID_SM2_with_SM3:
+		ctx->sinfo->sig->pkey_algo = "sm2";
+		ctx->sinfo->sig->encoding = "raw";
+		break;
 	default:
 		printk("Unsupported pkey algo: %u\n", ctx->last_oid);
 		return -ENOPKG;
diff --git a/init/Kconfig b/init/Kconfig
index 5f5c776ef192..fed9236078e4 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2202,6 +2202,10 @@ config MODULE_SIG_SHA512
 	bool "Sign modules with SHA-512"
 	select CRYPTO_SHA512
 
+config MODULE_SIG_SM3
+	bool "Sign modules with SM3"
+	select CRYPTO_SM3
+
 endchoice
 
 config MODULE_SIG_HASH
@@ -2212,6 +2216,7 @@ config MODULE_SIG_HASH
 	default "sha256" if MODULE_SIG_SHA256
 	default "sha384" if MODULE_SIG_SHA384
 	default "sha512" if MODULE_SIG_SHA512
+	default "sm3" if MODULE_SIG_SM3
 
 config MODULE_COMPRESS
 	bool "Compress modules on installation"
-- 
2.19.1.3.ge56e4f7

Re: [PATCH] init/Kconfig: Support sign module with SM3 hash algorithm

[Randy Dunlap]

On 3/23/21 1:35 AM, Tianjia Zhang wrote:
> The kernel module signature supports the option to use the SM3
> secure hash (OSCCA GM/T 0004-2012 SM3).
> 
> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
> ---
>  Documentation/admin-guide/module-signing.rst | 5 +++--
>  crypto/asymmetric_keys/pkcs7_parser.c        | 7 +++++++
>  init/Kconfig                                 | 5 +++++
>  3 files changed, 15 insertions(+), 2 deletions(-)
> 

> diff --git a/init/Kconfig b/init/Kconfig
> index 5f5c776ef192..fed9236078e4 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -2202,6 +2202,10 @@ config MODULE_SIG_SHA512
>  	bool "Sign modules with SHA-512"
>  	select CRYPTO_SHA512
>  
> +config MODULE_SIG_SM3
> +	bool "Sign modules with SM3"
> +	select CRYPTO_SM3
> +
>  endchoice
>  
>  config MODULE_SIG_HASH
> @@ -2212,6 +2216,7 @@ config MODULE_SIG_HASH
>  	default "sha256" if MODULE_SIG_SHA256
>  	default "sha384" if MODULE_SIG_SHA384
>  	default "sha512" if MODULE_SIG_SHA512
> +	default "sm3" if MODULE_SIG_SM3
>  
>  config MODULE_COMPRESS
>  	bool "Compress modules on installation"
> 

checkpatch tells me:

WARNING: please write a paragraph that describes the config symbol fully
#74: FILE: init/Kconfig:2205:
+config MODULE_SIG_SM3


so yes, it should have some help text there.

thanks.
-- 
~Randy

Re: [PATCH] init/Kconfig: Support sign module with SM3 hash algorithm

[Ard Biesheuvel]

On Tue, 23 Mar 2021 at 09:36, Tianjia Zhang
<tianjia.zhang@linux.alibaba.com> wrote:
>
> The kernel module signature supports the option to use the SM3
> secure hash (OSCCA GM/T 0004-2012 SM3).
>
> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

A secure hash is not the same as a signature. Looking at the patch,
the asymmetric algorithm that is used to sign the SM3 digest is SM2,
is that correct? How does one create such signed modules?

In any case, please provide more context in the commit log on how this
is intended to be used.


> ---
>  Documentation/admin-guide/module-signing.rst | 5 +++--
>  crypto/asymmetric_keys/pkcs7_parser.c        | 7 +++++++
>  init/Kconfig                                 | 5 +++++
>  3 files changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
> index 7d7c7c8a545c..8d8980808b5b 100644
> --- a/Documentation/admin-guide/module-signing.rst
> +++ b/Documentation/admin-guide/module-signing.rst
> @@ -30,8 +30,8 @@ This facility uses X.509 ITU-T standard certificates to encode the public keys
>  involved.  The signatures are not themselves encoded in any industrial standard
>  type.  The facility currently only supports the RSA public key encryption
>  standard (though it is pluggable and permits others to be used).  The possible
> -hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, and
> -SHA-512 (the algorithm is selected by data in the signature).
> +hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,
> +and SM3 (the algorithm is selected by data in the signature).
>
>
>  ==========================
> @@ -86,6 +86,7 @@ This has a number of options available:
>         ``CONFIG_MODULE_SIG_SHA256``    :menuselection:`Sign modules with SHA-256`
>         ``CONFIG_MODULE_SIG_SHA384``    :menuselection:`Sign modules with SHA-384`
>         ``CONFIG_MODULE_SIG_SHA512``    :menuselection:`Sign modules with SHA-512`
> +       ``CONFIG_MODULE_SIG_SM3``       :menuselection:`Sign modules with SM3`
>          =============================== ==========================================
>
>       The algorithm selected here will also be built into the kernel (rather
> diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
> index 967329e0a07b..6cf6c4552c11 100644
> --- a/crypto/asymmetric_keys/pkcs7_parser.c
> +++ b/crypto/asymmetric_keys/pkcs7_parser.c
> @@ -248,6 +248,9 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
>         case OID_sha224:
>                 ctx->sinfo->sig->hash_algo = "sha224";
>                 break;
> +       case OID_sm3:
> +               ctx->sinfo->sig->hash_algo = "sm3";
> +               break;
>         default:
>                 printk("Unsupported digest algo: %u\n", ctx->last_oid);
>                 return -ENOPKG;
> @@ -269,6 +272,10 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
>                 ctx->sinfo->sig->pkey_algo = "rsa";
>                 ctx->sinfo->sig->encoding = "pkcs1";
>                 break;
> +       case OID_SM2_with_SM3:
> +               ctx->sinfo->sig->pkey_algo = "sm2";
> +               ctx->sinfo->sig->encoding = "raw";
> +               break;
>         default:
>                 printk("Unsupported pkey algo: %u\n", ctx->last_oid);
>                 return -ENOPKG;
> diff --git a/init/Kconfig b/init/Kconfig
> index 5f5c776ef192..fed9236078e4 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -2202,6 +2202,10 @@ config MODULE_SIG_SHA512
>         bool "Sign modules with SHA-512"
>         select CRYPTO_SHA512
>
> +config MODULE_SIG_SM3
> +       bool "Sign modules with SM3"
> +       select CRYPTO_SM3
> +
>  endchoice
>
>  config MODULE_SIG_HASH
> @@ -2212,6 +2216,7 @@ config MODULE_SIG_HASH
>         default "sha256" if MODULE_SIG_SHA256
>         default "sha384" if MODULE_SIG_SHA384
>         default "sha512" if MODULE_SIG_SHA512
> +       default "sm3" if MODULE_SIG_SM3
>
>  config MODULE_COMPRESS
>         bool "Compress modules on installation"
> --
> 2.19.1.3.ge56e4f7
>

Re: [PATCH] init/Kconfig: Support sign module with SM3 hash algorithm

[Tianjia Zhang]

Hi,

On 3/24/21 12:43 AM, Randy Dunlap wrote:
> On 3/23/21 1:35 AM, Tianjia Zhang wrote:
>> The kernel module signature supports the option to use the SM3
>> secure hash (OSCCA GM/T 0004-2012 SM3).
>>
>> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
>> ---
>>   Documentation/admin-guide/module-signing.rst | 5 +++--
>>   crypto/asymmetric_keys/pkcs7_parser.c        | 7 +++++++
>>   init/Kconfig                                 | 5 +++++
>>   3 files changed, 15 insertions(+), 2 deletions(-)
>>
> 
>> diff --git a/init/Kconfig b/init/Kconfig
>> index 5f5c776ef192..fed9236078e4 100644
>> --- a/init/Kconfig
>> +++ b/init/Kconfig
>> @@ -2202,6 +2202,10 @@ config MODULE_SIG_SHA512
>>   	bool "Sign modules with SHA-512"
>>   	select CRYPTO_SHA512
>>   
>> +config MODULE_SIG_SM3
>> +	bool "Sign modules with SM3"
>> +	select CRYPTO_SM3
>> +
>>   endchoice
>>   
>>   config MODULE_SIG_HASH
>> @@ -2212,6 +2216,7 @@ config MODULE_SIG_HASH
>>   	default "sha256" if MODULE_SIG_SHA256
>>   	default "sha384" if MODULE_SIG_SHA384
>>   	default "sha512" if MODULE_SIG_SHA512
>> +	default "sm3" if MODULE_SIG_SM3
>>   
>>   config MODULE_COMPRESS
>>   	bool "Compress modules on installation"
>>
> 
> checkpatch tells me:
> 
> WARNING: please write a paragraph that describes the config symbol fully
> #74: FILE: init/Kconfig:2205:
> +config MODULE_SIG_SM3
> 
> 
> so yes, it should have some help text there.
> 
> thanks.
> 

I noticed, but this is just a list of algorithms, this warning can be 
ignored.

Best regards,
Tianjia

Re: [PATCH] init/Kconfig: Support sign module with SM3 hash algorithm

[Tianjia Zhang]

Hi,

On 3/24/21 6:14 AM, Ard Biesheuvel wrote:
> On Tue, 23 Mar 2021 at 09:36, Tianjia Zhang
> <tianjia.zhang@linux.alibaba.com> wrote:
>>
>> The kernel module signature supports the option to use the SM3
>> secure hash (OSCCA GM/T 0004-2012 SM3).
>>
>> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
> 
> A secure hash is not the same as a signature. Looking at the patch,
> the asymmetric algorithm that is used to sign the SM3 digest is SM2,
> is that correct? How does one create such signed modules?
> 
> In any case, please provide more context in the commit log on how this
> is intended to be used.
> 
> 

Sorry for the trouble you have caused. You are right. SM2 and SM3 always 
appear in pairs. The former is used for signatures and the latter is 
used for hashing algorithms. I will add this information in the next 
version. It seems This is more appropriate to split into two patches.

Best regards,
Tianjia