ping.

Thanks,
Tianjia

On 3/24/21 8:15 PM, Tianjia Zhang wrote:
The kernel module signature supports the option to use the SM3 secure
hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs.
The former is used for signing and the latter is used for hash
calculation.

To sign a kernel module, first, prepare openssl 3.0.0 alpha6 and a
configuration file openssl.cnf with the following content:

   [ req ]
   default_bits = 2048
   distinguished_name = req_distinguished_name
   prompt = no
   string_mask = utf8only
   x509_extensions = v3_req

   [ req_distinguished_name ]
   C = CN
   ST = HangZhou
   L = foo
   O = Test
   OU = Test
   CN = Test key
   emailAddress = t...@foo.com

   [ v3_req ]
   basicConstraints=critical,CA:FALSE
   keyUsage=digitalSignature
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid:always

Then we can use the following method to sign module with SM2-with-SM3
algorithm combination:

   # generate CA key and self-signed CA certificate
   openssl ecparam -genkey -name SM2 -text -out ca.key
   openssl req -new -x509 -days 3650 -key ca.key \
       -sm3 -sigopt "distid:1234567812345678" \
       -subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=c...@foo.com" \
       -config openssl.cnf -out ca.crt

   # generate SM2 private key and sign request
   openssl ecparam -genkey -name SM2 -text -out private.pem
   openssl req -new -key private.pem -config openssl.cnf \
       -sm3 -sigopt "distid:1234567812345678" -out csr.pem

   # generate SM2-with-SM3 certificate signed by CA
   openssl x509 -req -days 3650 -sm3 -in csr.pem \
       -sigopt "distid:1234567812345678" \
       -vfyopt "distid:1234567812345678" \
       -CA ca.crt -CAkey ca.key -CAcreateserial \
       -extfile openssl.cnf -extensions v3_req \
       -out cert.pem

   # sign module with SM2-with-SM3 algorithm
   sign-file sm3 private.pem cert.pem test.ko test.ko.signed

At this point, we should built the CA certificate into the kernel, and
then we can load the SM2-with-SM3 signed module normally.

---
v2 change:
   - split one patch into twos.
   - richer commit log.

Tianjia Zhang (2):
   pkcs7: make parser enable SM2 and SM3 algorithms combination
   init/Kconfig: support sign module with SM2-with-SM3 algorithm

  Documentation/admin-guide/module-signing.rst | 5 +++--
  crypto/asymmetric_keys/pkcs7_parser.c        | 7 +++++++
  init/Kconfig                                 | 5 +++++
  3 files changed, 15 insertions(+), 2 deletions(-)

Reply via email to