From: David Howells <dhowells@redhat.com>
To: Petr Pavlu <petr.pavlu@suse.com>
Cc: dhowells@redhat.com, Eric Biggers <ebiggers@kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Ard Biesheuvel <ardb@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Stephan Mueller <smueller@chronox.de>,
Lukas Wunner <lukas@wunner.de>,
Ignat Korchagin <ignat@cloudflare.com>,
Luis Chamberlain <mcgrof@kernel.org>,
Daniel Gomez <da.gomez@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
linux-crypto@vger.kernel.org, keyrings@vger.kernel.org,
linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v6 17/17] modsign: Enable ML-DSA module signing
Date: Thu, 06 Nov 2025 17:37:42 +0000 [thread overview]
Message-ID: <31211.1762450662@warthog.procyon.org.uk> (raw)
In-Reply-To: <81080a24-e4a9-4287-8653-9d707e574d95@suse.com>
Petr Pavlu <petr.pavlu@suse.com> wrote:
> This update looks ok to me. However, I'll note some problems that
> I noticed in the original text, notably:
>
> The text doesn't match the implementation because kernel/module/Kconfig
> still allows selecting SHA-1 for module signing. What happened is that
> commit 16ab7cb5825f ("crypto: pkcs7 - remove sha1 support") initially
> removed CONFIG_MODULE_SIG_SHA1. Then, commit f2b88bab69c8
> ("Documentation/module-signing.txt: bring up to date") removed it from
> the documentation. However, commit 203a6763ab69 ("Revert "crypto: pkcs7
> - remove sha1 support"") brought back CONFIG_MODULE_SIG_SHA1 without
> reverting the documentation update.
>
> Another problem is that for MODULE_SIG_KEY_TYPE_ECDSA, certs/Kconfig
> contains the line
> "depends on !(MODULE_SIG_SHA256 || MODULE_SIG_SHA3_256)",
> which intends to allow ECDSA only with MODULE_SIG_SHA384,
> MODULE_SIG_SHA512, MODULE_SIG_SHA3_384 and MODULE_SIG_SHA3_512. This
> restriction was added in commit d4f5bfe20da9 ("certs: Limit
> MODULE_SIG_KEY_TYPE_ECDSA to SHA384 or SHA512") and 446b1e0b7b39
> ("module: enable automatic module signing with FIPS 202 SHA-3").
> However, the documentation suggests that ECDSA can still be used with
> SHA-2/3 of size 256.
>
> I'll prepare fixes for these issues. For the first problem, I think we
> can drop CONFIG_MODULE_SIG_SHA1 instead of correcting the documentation.
Sounds good.
> > + Use an ML-DSA (Dilithium) 87 key (NIST FIPS 204) for module signing
> > + with a SHAKE256 'hash' of the message.
>
> Copy-and-paste error in the help message: 87 -> 44.
> ...
> Similarly here: 87 -> 65.
Fixed.
> Should all MODULE_SIG_KEY_TYPE_ML_DSA_* options depend on
> MODULE_SIG_SHAKE256 to match the updated
> Documentation/admin-guide/module-signing.rst?
>
> Similarly, do MODULE_SIG_KEY_TYPE_RSA and MODULE_SIG_KEY_TYPE_ECDSA
> require any "depends on" update with respect to the addition of
> MODULE_SIG_SHAKE256?
Um. In theory ML-DSA can use hashes other than SHAKE256, but I'm not sure
that OIDs exist yet to indicate that. Also, I'm not sure how to implement the
crypto API interface such that you can ask for, say, "ml-dsa87(sha512)" from
crypto_sig.
Anyway, for the moment, I'm going to post a v7 as I've made some substantial
cleanups.
David
prev parent reply other threads:[~2025-11-06 17:37 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-17 14:42 [PATCH v6 00/17] lib/crypto: Move SHA3 to lib/crypto, add SHAKE* and add ML-DSA signing David Howells
2025-10-17 14:42 ` [PATCH v6 01/17] s390/sha3: Rename conflicting functions David Howells
2025-10-18 8:59 ` Christophe Leroy
2025-10-18 12:17 ` David Howells
2025-10-17 14:42 ` [PATCH v6 02/17] arm64/sha3: " David Howells
2025-10-18 9:00 ` Christophe Leroy
2025-10-17 14:42 ` [PATCH v6 03/17] lib/crypto: Add SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256 David Howells
2025-10-17 14:42 ` [PATCH v6 04/17] lib/crypto: Move the SHA3 Iota transform into the single round function David Howells
2025-10-17 14:42 ` [PATCH v6 05/17] lib/crypto: Add SHA3 kunit tests David Howells
2025-10-17 14:42 ` [PATCH v6 06/17] crypto/jitterentropy: Use lib/crypto/sha3 David Howells
2025-10-17 14:42 ` [PATCH v6 07/17] crypto/sha3: " David Howells
2025-10-17 14:42 ` [PATCH v6 08/17] crypto/sha3: Add SHAKE128/256 support David Howells
2025-10-17 14:42 ` [PATCH v6 09/17] crypto: SHAKE tests David Howells
2025-10-17 14:42 ` [PATCH v6 10/17] crypto: Add ML-DSA/Dilithium support David Howells
2025-10-17 14:42 ` [PATCH v6 11/17] crypto: Add ML-DSA/Dilithium keypair generation support David Howells
2025-10-17 14:42 ` [PATCH v6 12/17] crypto: Add ML-DSA-44 pure rejection test vectors as a kunit test David Howells
2025-10-17 14:42 ` [PATCH v6 13/17] crypto: Add ML-DSA-65 " David Howells
2025-10-17 14:42 ` [PATCH v6 14/17] crypto: Add ML-DSA-87 " David Howells
2025-10-17 14:42 ` [PATCH v6 15/17] pkcs7: Allow the signing algo to calculate the digest itself David Howells
2025-10-17 14:43 ` [PATCH v6 16/17] pkcs7, x509: Add ML-DSA support David Howells
2025-10-17 14:43 ` [PATCH v6 17/17] modsign: Enable ML-DSA module signing David Howells
2025-10-21 13:51 ` Petr Pavlu
2025-11-06 17:37 ` David Howells [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31211.1762450662@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=da.gomez@kernel.org \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mcgrof@kernel.org \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).