* [PATCH v2 1/2] pkcs7: make parser enable SM2 and SM3 algorithms combination
2021-03-24 12:15 [PATCH v2 0/2] support sign module with SM2-with-SM3 algorithm Tianjia Zhang
@ 2021-03-24 12:15 ` Tianjia Zhang
2021-03-24 12:15 ` [PATCH v2 2/2] init/Kconfig: support sign module with SM2-with-SM3 algorithm Tianjia Zhang
2021-04-07 3:29 ` [PATCH v2 0/2] " Tianjia Zhang
2 siblings, 0 replies; 4+ messages in thread
From: Tianjia Zhang @ 2021-03-24 12:15 UTC (permalink / raw)
To: David Howells, Herbert Xu, David S. Miller, David Woodhouse,
Jonathan Corbet, Masahiro Yamada, Andrew Morton,
Nathan Chancellor, Kees Cook, Nick Desaulniers,
Valentin Schneider, Nick Terrell, KP Singh, Johannes Weiner,
Vlastimil Babka, keyrings, linux-doc, linux-kernel, linux-crypto,
Jia Zhang
Cc: Tianjia Zhang
Support parsing the message signature of the SM2 and SM3 algorithm
combination. This group of algorithms has been well supported. One
of the main users is module signature verification.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
crypto/asymmetric_keys/pkcs7_parser.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
index 967329e0a07b..6cf6c4552c11 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -248,6 +248,9 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
case OID_sha224:
ctx->sinfo->sig->hash_algo = "sha224";
break;
+ case OID_sm3:
+ ctx->sinfo->sig->hash_algo = "sm3";
+ break;
default:
printk("Unsupported digest algo: %u\n", ctx->last_oid);
return -ENOPKG;
@@ -269,6 +272,10 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
ctx->sinfo->sig->pkey_algo = "rsa";
ctx->sinfo->sig->encoding = "pkcs1";
break;
+ case OID_SM2_with_SM3:
+ ctx->sinfo->sig->pkey_algo = "sm2";
+ ctx->sinfo->sig->encoding = "raw";
+ break;
default:
printk("Unsupported pkey algo: %u\n", ctx->last_oid);
return -ENOPKG;
--
2.19.1.3.ge56e4f7
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH v2 2/2] init/Kconfig: support sign module with SM2-with-SM3 algorithm
2021-03-24 12:15 [PATCH v2 0/2] support sign module with SM2-with-SM3 algorithm Tianjia Zhang
2021-03-24 12:15 ` [PATCH v2 1/2] pkcs7: make parser enable SM2 and SM3 algorithms combination Tianjia Zhang
@ 2021-03-24 12:15 ` Tianjia Zhang
2021-04-07 3:29 ` [PATCH v2 0/2] " Tianjia Zhang
2 siblings, 0 replies; 4+ messages in thread
From: Tianjia Zhang @ 2021-03-24 12:15 UTC (permalink / raw)
To: David Howells, Herbert Xu, David S. Miller, David Woodhouse,
Jonathan Corbet, Masahiro Yamada, Andrew Morton,
Nathan Chancellor, Kees Cook, Nick Desaulniers,
Valentin Schneider, Nick Terrell, KP Singh, Johannes Weiner,
Vlastimil Babka, keyrings, linux-doc, linux-kernel, linux-crypto,
Jia Zhang
Cc: Tianjia Zhang
The kernel module signature supports the option to use the SM3 secure
hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs.
The former is used for signing and the latter is used for hash
calculation.
To sign a kernel module, first, prepare a configuration file
openssl.cnf with the following content:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_req
[ req_distinguished_name ]
C = CN
ST = HangZhou
L = foo
O = Test
OU = Test
CN = Test key
emailAddress = test@foo.com
[ v3_req ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
Then we can use the following method to sign module with SM2-with-SM3
algorithm combination:
# generate CA key and self-signed CA certificate
openssl ecparam -genkey -name SM2 -text -out ca.key
openssl req -new -x509 -days 3650 -key ca.key \
-sm3 -sigopt "distid:1234567812345678" \
-subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=ca@foo.com" \
-config openssl.cnf -out ca.crt
# generate SM2 private key and sign request
openssl ecparam -genkey -name SM2 -text -out private.pem
openssl req -new -key private.pem -config openssl.cnf \
-sm3 -sigopt "distid:1234567812345678" -out csr.pem
# generate SM2-with-SM3 certificate signed by CA
openssl x509 -req -days 3650 -sm3 -in csr.pem \
-sigopt "distid:1234567812345678" \
-vfyopt "distid:1234567812345678" \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile openssl.cnf -extensions v3_req \
-out cert.pem
# sign module with SM2-with-SM3 algorithm
sign-file sm3 private.pem cert.pem test.ko test.ko.signed
At this point, we should built the CA certificate into the kernel, and
then we can load the SM2-with-SM3 signed module normally.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
Documentation/admin-guide/module-signing.rst | 5 +++--
init/Kconfig | 5 +++++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
index 7d7c7c8a545c..8d8980808b5b 100644
--- a/Documentation/admin-guide/module-signing.rst
+++ b/Documentation/admin-guide/module-signing.rst
@@ -30,8 +30,8 @@ This facility uses X.509 ITU-T standard certificates to encode the public keys
involved. The signatures are not themselves encoded in any industrial standard
type. The facility currently only supports the RSA public key encryption
standard (though it is pluggable and permits others to be used). The possible
-hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, and
-SHA-512 (the algorithm is selected by data in the signature).
+hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,
+and SM3 (the algorithm is selected by data in the signature).
==========================
@@ -86,6 +86,7 @@ This has a number of options available:
``CONFIG_MODULE_SIG_SHA256`` :menuselection:`Sign modules with SHA-256`
``CONFIG_MODULE_SIG_SHA384`` :menuselection:`Sign modules with SHA-384`
``CONFIG_MODULE_SIG_SHA512`` :menuselection:`Sign modules with SHA-512`
+ ``CONFIG_MODULE_SIG_SM3`` :menuselection:`Sign modules with SM3`
=============================== ==========================================
The algorithm selected here will also be built into the kernel (rather
diff --git a/init/Kconfig b/init/Kconfig
index 5f5c776ef192..fed9236078e4 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2202,6 +2202,10 @@ config MODULE_SIG_SHA512
bool "Sign modules with SHA-512"
select CRYPTO_SHA512
+config MODULE_SIG_SM3
+ bool "Sign modules with SM3"
+ select CRYPTO_SM3
+
endchoice
config MODULE_SIG_HASH
@@ -2212,6 +2216,7 @@ config MODULE_SIG_HASH
default "sha256" if MODULE_SIG_SHA256
default "sha384" if MODULE_SIG_SHA384
default "sha512" if MODULE_SIG_SHA512
+ default "sm3" if MODULE_SIG_SM3
config MODULE_COMPRESS
bool "Compress modules on installation"
--
2.19.1.3.ge56e4f7
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v2 0/2] support sign module with SM2-with-SM3 algorithm
2021-03-24 12:15 [PATCH v2 0/2] support sign module with SM2-with-SM3 algorithm Tianjia Zhang
2021-03-24 12:15 ` [PATCH v2 1/2] pkcs7: make parser enable SM2 and SM3 algorithms combination Tianjia Zhang
2021-03-24 12:15 ` [PATCH v2 2/2] init/Kconfig: support sign module with SM2-with-SM3 algorithm Tianjia Zhang
@ 2021-04-07 3:29 ` Tianjia Zhang
2 siblings, 0 replies; 4+ messages in thread
From: Tianjia Zhang @ 2021-04-07 3:29 UTC (permalink / raw)
To: David Howells, Herbert Xu, David S. Miller, David Woodhouse,
Jonathan Corbet, Masahiro Yamada, Andrew Morton,
Nathan Chancellor, Kees Cook, Nick Desaulniers,
Valentin Schneider, Nick Terrell, KP Singh, Johannes Weiner,
Vlastimil Babka, keyrings, linux-doc, linux-kernel, linux-crypto,
Jia Zhang
ping.
Thanks,
Tianjia
On 3/24/21 8:15 PM, Tianjia Zhang wrote:
> The kernel module signature supports the option to use the SM3 secure
> hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs.
> The former is used for signing and the latter is used for hash
> calculation.
>
> To sign a kernel module, first, prepare openssl 3.0.0 alpha6 and a
> configuration file openssl.cnf with the following content:
>
> [ req ]
> default_bits = 2048
> distinguished_name = req_distinguished_name
> prompt = no
> string_mask = utf8only
> x509_extensions = v3_req
>
> [ req_distinguished_name ]
> C = CN
> ST = HangZhou
> L = foo
> O = Test
> OU = Test
> CN = Test key
> emailAddress = test@foo.com
>
> [ v3_req ]
> basicConstraints=critical,CA:FALSE
> keyUsage=digitalSignature
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid:always
>
> Then we can use the following method to sign module with SM2-with-SM3
> algorithm combination:
>
> # generate CA key and self-signed CA certificate
> openssl ecparam -genkey -name SM2 -text -out ca.key
> openssl req -new -x509 -days 3650 -key ca.key \
> -sm3 -sigopt "distid:1234567812345678" \
> -subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=ca@foo.com" \
> -config openssl.cnf -out ca.crt
>
> # generate SM2 private key and sign request
> openssl ecparam -genkey -name SM2 -text -out private.pem
> openssl req -new -key private.pem -config openssl.cnf \
> -sm3 -sigopt "distid:1234567812345678" -out csr.pem
>
> # generate SM2-with-SM3 certificate signed by CA
> openssl x509 -req -days 3650 -sm3 -in csr.pem \
> -sigopt "distid:1234567812345678" \
> -vfyopt "distid:1234567812345678" \
> -CA ca.crt -CAkey ca.key -CAcreateserial \
> -extfile openssl.cnf -extensions v3_req \
> -out cert.pem
>
> # sign module with SM2-with-SM3 algorithm
> sign-file sm3 private.pem cert.pem test.ko test.ko.signed
>
> At this point, we should built the CA certificate into the kernel, and
> then we can load the SM2-with-SM3 signed module normally.
>
> ---
> v2 change:
> - split one patch into twos.
> - richer commit log.
>
> Tianjia Zhang (2):
> pkcs7: make parser enable SM2 and SM3 algorithms combination
> init/Kconfig: support sign module with SM2-with-SM3 algorithm
>
> Documentation/admin-guide/module-signing.rst | 5 +++--
> crypto/asymmetric_keys/pkcs7_parser.c | 7 +++++++
> init/Kconfig | 5 +++++
> 3 files changed, 15 insertions(+), 2 deletions(-)
>
^ permalink raw reply [flat|nested] 4+ messages in thread