Add Kconfig options to use SHA-3 for kernel module signing. 256 size for RSA only, and higher sizes for RSA and NIST P-384.
Signed-off-by: Dimitri John Ledkov <dimitri.led...@canonical.com> --- certs/Kconfig | 2 +- kernel/module/Kconfig | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/certs/Kconfig b/certs/Kconfig index 84582de66b..69d192a32d 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -30,7 +30,7 @@ config MODULE_SIG_KEY_TYPE_RSA config MODULE_SIG_KEY_TYPE_ECDSA bool "ECDSA" select CRYPTO_ECDSA - depends on MODULE_SIG_SHA384 || MODULE_SIG_SHA512 + depends on !(MODULE_SIG_SHA256 || MODULE_SIG_SHA3_256) help Use an elliptic curve key (NIST P384) for module signing. Use a strong hash of same or higher bit length, i.e. sha384 or diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index 9d7d45525f..0ea1b2970a 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -248,6 +248,18 @@ config MODULE_SIG_SHA512 bool "Sign modules with SHA-512" select CRYPTO_SHA512 +config MODULE_SIG_SHA3_256 + bool "Sign modules with SHA3-256" + select CRYPTO_SHA3 + +config MODULE_SIG_SHA3_384 + bool "Sign modules with SHA3-384" + select CRYPTO_SHA3 + +config MODULE_SIG_SHA3_512 + bool "Sign modules with SHA3-512" + select CRYPTO_SHA3 + endchoice config MODULE_SIG_HASH @@ -256,6 +268,9 @@ config MODULE_SIG_HASH default "sha256" if MODULE_SIG_SHA256 default "sha384" if MODULE_SIG_SHA384 default "sha512" if MODULE_SIG_SHA512 + default "sha3-256" if MODULE_SIG_SHA3_256 + default "sha3-384" if MODULE_SIG_SHA3_384 + default "sha3-512" if MODULE_SIG_SHA3_512 choice prompt "Module compression mode" -- 2.34.1