ping. Thanks, Tianjia
On 3/24/21 8:15 PM, Tianjia Zhang wrote:
The kernel module signature supports the option to use the SM3 secure hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs. The former is used for signing and the latter is used for hash calculation. To sign a kernel module, first, prepare openssl 3.0.0 alpha6 and a configuration file openssl.cnf with the following content: [ req ] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = v3_req [ req_distinguished_name ] C = CN ST = HangZhou L = foo O = Test OU = Test CN = Test key emailAddress = t...@foo.com [ v3_req ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always Then we can use the following method to sign module with SM2-with-SM3 algorithm combination: # generate CA key and self-signed CA certificate openssl ecparam -genkey -name SM2 -text -out ca.key openssl req -new -x509 -days 3650 -key ca.key \ -sm3 -sigopt "distid:1234567812345678" \ -subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=c...@foo.com" \ -config openssl.cnf -out ca.crt # generate SM2 private key and sign request openssl ecparam -genkey -name SM2 -text -out private.pem openssl req -new -key private.pem -config openssl.cnf \ -sm3 -sigopt "distid:1234567812345678" -out csr.pem # generate SM2-with-SM3 certificate signed by CA openssl x509 -req -days 3650 -sm3 -in csr.pem \ -sigopt "distid:1234567812345678" \ -vfyopt "distid:1234567812345678" \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile openssl.cnf -extensions v3_req \ -out cert.pem # sign module with SM2-with-SM3 algorithm sign-file sm3 private.pem cert.pem test.ko test.ko.signed At this point, we should built the CA certificate into the kernel, and then we can load the SM2-with-SM3 signed module normally. --- v2 change: - split one patch into twos. - richer commit log. Tianjia Zhang (2): pkcs7: make parser enable SM2 and SM3 algorithms combination init/Kconfig: support sign module with SM2-with-SM3 algorithm Documentation/admin-guide/module-signing.rst | 5 +++-- crypto/asymmetric_keys/pkcs7_parser.c | 7 +++++++ init/Kconfig | 5 +++++ 3 files changed, 15 insertions(+), 2 deletions(-)