* [PATCH 0/3] Add support for ML-DSA signature for EVM and IMA
@ 2026-04-05 23:12 Stefan Berger
2026-04-05 23:12 ` [PATCH 1/3] crypto: public_key: Remove check for valid hash_algo for ML-DSA keys Stefan Berger
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Stefan Berger @ 2026-04-05 23:12 UTC (permalink / raw)
To: linux-integrity, linux-security-module
Cc: linux-kernel, zohar, roberto.sassu, ebiggers, Stefan Berger
Based on IMA sigv3 type of signatures, add support for ML-DSA signature
for EVM and IMA. Use the existing ML-DSA hashless signing mode (pure mode).
Stefan
Stefan Berger (3):
crypto: public_key: Remove check for valid hash_algo for ML-DSA keys
integrity: Refactor asymmetric_verify for reusability
integrity: Add support for sigv3 verification using ML-DSA keys
crypto/asymmetric_keys/public_key.c | 5 -
security/integrity/digsig_asymmetric.c | 126 +++++++++++++++++++++----
2 files changed, 107 insertions(+), 24 deletions(-)
base-commit: 82bbd447199ff1441031d2eaf9afe041550cf525
--
2.53.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/3] crypto: public_key: Remove check for valid hash_algo for ML-DSA keys
2026-04-05 23:12 [PATCH 0/3] Add support for ML-DSA signature for EVM and IMA Stefan Berger
@ 2026-04-05 23:12 ` Stefan Berger
2026-04-06 16:53 ` Eric Biggers
2026-04-05 23:12 ` [PATCH 2/3] integrity: Refactor asymmetric_verify for reusability Stefan Berger
2026-04-05 23:12 ` [PATCH 3/3] integrity: Add support for sigv3 verification using ML-DSA keys Stefan Berger
2 siblings, 1 reply; 6+ messages in thread
From: Stefan Berger @ 2026-04-05 23:12 UTC (permalink / raw)
To: linux-integrity, linux-security-module
Cc: linux-kernel, zohar, roberto.sassu, ebiggers, Stefan Berger,
David Howells, Lukas Wunner, Ignat Korchagin, keyrings,
linux-crypto
Remove the check for the hash_algo since ML-DSA is only used in pure mode
and there is no relevance of a hash_algo for the input data.
Cc: David Howells <dhowells@redhat.com>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Ignat Korchagin <ignat@linux.win>
Cc: keyrings@vger.kernel.org
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
crypto/asymmetric_keys/public_key.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 09a0b83d5d77..df6918a77ab8 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -147,11 +147,6 @@ software_key_determine_akcipher(const struct public_key *pkey,
strcmp(pkey->pkey_algo, "mldsa87") == 0) {
if (strcmp(encoding, "raw") != 0)
return -EINVAL;
- if (!hash_algo)
- return -EINVAL;
- if (strcmp(hash_algo, "none") != 0 &&
- strcmp(hash_algo, "sha512") != 0)
- return -EINVAL;
} else {
/* Unknown public key algorithm */
return -ENOPKG;
--
2.53.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/3] integrity: Refactor asymmetric_verify for reusability
2026-04-05 23:12 [PATCH 0/3] Add support for ML-DSA signature for EVM and IMA Stefan Berger
2026-04-05 23:12 ` [PATCH 1/3] crypto: public_key: Remove check for valid hash_algo for ML-DSA keys Stefan Berger
@ 2026-04-05 23:12 ` Stefan Berger
2026-04-05 23:12 ` [PATCH 3/3] integrity: Add support for sigv3 verification using ML-DSA keys Stefan Berger
2 siblings, 0 replies; 6+ messages in thread
From: Stefan Berger @ 2026-04-05 23:12 UTC (permalink / raw)
To: linux-integrity, linux-security-module
Cc: linux-kernel, zohar, roberto.sassu, ebiggers, Stefan Berger
Refactor asymmetric_verify for reusability. Have it call
asymmetric_verify_common with the signature verification key and the
public_key structure as parameters. sigv3 support for ML-DSA will need to
check the public key type first to decide how to do the signature
verification and therefore will have these parameters available for
calling asymmetric_verify_common.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
security/integrity/digsig_asymmetric.c | 42 +++++++++++++++++---------
1 file changed, 28 insertions(+), 14 deletions(-)
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 6e68ec3becbd..e29ed73f15cd 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -79,18 +79,15 @@ static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
return key;
}
-int asymmetric_verify(struct key *keyring, const char *sig,
- int siglen, const char *data, int datalen)
+static int asymmetric_verify_common(const struct key *key,
+ const struct public_key *pk,
+ const char *sig, int siglen,
+ const char *data, int datalen)
{
- struct public_key_signature pks;
struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
- const struct public_key *pk;
- struct key *key;
+ struct public_key_signature pks;
int ret;
- if (siglen <= sizeof(*hdr))
- return -EBADMSG;
-
siglen -= sizeof(*hdr);
if (siglen != be16_to_cpu(hdr->sig_size))
@@ -99,15 +96,10 @@ int asymmetric_verify(struct key *keyring, const char *sig,
if (hdr->hash_algo >= HASH_ALGO__LAST)
return -ENOPKG;
- key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid));
- if (IS_ERR(key))
- return PTR_ERR(key);
-
memset(&pks, 0, sizeof(pks));
pks.hash_algo = hash_algo_name[hdr->hash_algo];
- pk = asymmetric_key_public_key(key);
pks.pkey_algo = pk->pkey_algo;
if (!strcmp(pk->pkey_algo, "rsa")) {
pks.encoding = "pkcs1";
@@ -127,11 +119,33 @@ int asymmetric_verify(struct key *keyring, const char *sig,
pks.s_size = siglen;
ret = verify_signature(key, &pks);
out:
- key_put(key);
pr_debug("%s() = %d\n", __func__, ret);
return ret;
}
+int asymmetric_verify(struct key *keyring, const char *sig,
+ int siglen, const char *data, int datalen)
+{
+ struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
+ const struct public_key *pk;
+ struct key *key;
+ int ret;
+
+ if (siglen <= sizeof(*hdr))
+ return -EBADMSG;
+
+ key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid));
+ if (IS_ERR(key))
+ return PTR_ERR(key);
+ pk = asymmetric_key_public_key(key);
+
+ ret = asymmetric_verify_common(key, pk, sig, siglen, data, datalen);
+
+ key_put(key);
+
+ return ret;
+}
+
/*
* calc_file_id_hash - calculate the hash of the ima_file_id struct data
* @type: xattr type [enum evm_ima_xattr_type]
--
2.53.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/3] integrity: Add support for sigv3 verification using ML-DSA keys
2026-04-05 23:12 [PATCH 0/3] Add support for ML-DSA signature for EVM and IMA Stefan Berger
2026-04-05 23:12 ` [PATCH 1/3] crypto: public_key: Remove check for valid hash_algo for ML-DSA keys Stefan Berger
2026-04-05 23:12 ` [PATCH 2/3] integrity: Refactor asymmetric_verify for reusability Stefan Berger
@ 2026-04-05 23:12 ` Stefan Berger
2 siblings, 0 replies; 6+ messages in thread
From: Stefan Berger @ 2026-04-05 23:12 UTC (permalink / raw)
To: linux-integrity, linux-security-module
Cc: linux-kernel, zohar, roberto.sassu, ebiggers, Stefan Berger
Add support for sigv3 signature verification using ML-DSA in pure mode.
When a sigv3 signature is verified, first check whether the key to use
for verification is an ML-DSA key and therefore uses a hashless signature
verification scheme. The hashless signature verification method uses the
ima_file_id structure directly for signature verification rather than
its digest.
Suggested-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
security/integrity/digsig_asymmetric.c | 84 ++++++++++++++++++++++++--
1 file changed, 79 insertions(+), 5 deletions(-)
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index e29ed73f15cd..e25534117c16 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -190,17 +190,91 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type,
return rc;
}
+/*
+ * asymmetric_verify_v3_hashless - Use hashless signature verification on sigv3
+ * @key: The key to use for signature verification
+ * @pk: The associated public key
+ * @encoding: The encoding the key type uses
+ * @sig: The signature
+ * @siglen: The length of the xattr signature
+ * @algo: The hash algorithm
+ * @digest: The file digest
+ *
+ * Create an ima_file_id structure and use it for signature verification
+ * directly. This can be used for ML-DSA in pure mode for example.
+ */
+static int asymmetric_verify_v3_hashless(struct key *key,
+ const struct public_key *pk,
+ const char *encoding,
+ const char *sig, int siglen,
+ u8 algo,
+ const u8 *digest)
+{
+ struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
+ struct ima_file_id file_id = {
+ .hash_type = hdr->type,
+ .hash_algorithm = algo,
+ };
+ size_t digest_size = hash_digest_size[algo];
+ struct public_key_signature pks = {
+ .m = (u8 *)&file_id,
+ .m_size = sizeof(file_id) - (HASH_MAX_DIGESTSIZE - digest_size),
+ .s = hdr->sig,
+ .s_size = siglen - sizeof(*hdr),
+ .pkey_algo = pk->pkey_algo,
+ .hash_algo = hash_algo_name[hdr->hash_algo],
+ .encoding = encoding,
+ };
+ int ret;
+
+ if (hdr->type != IMA_VERITY_DIGSIG &&
+ hdr->type != EVM_IMA_XATTR_DIGSIG &&
+ hdr->type != EVM_XATTR_PORTABLE_DIGSIG)
+ return -EINVAL;
+
+ if (pks.s_size != be16_to_cpu(hdr->sig_size))
+ return -EBADMSG;
+
+ memcpy(file_id.hash, digest, digest_size);
+
+ ret = verify_signature(key, &pks);
+ pr_debug("%s() = %d\n", __func__, ret);
+ return ret;
+}
+
int asymmetric_verify_v3(struct key *keyring, const char *sig, int siglen,
const char *data, int datalen, u8 algo)
{
struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
struct ima_max_digest_data hash;
+ const struct public_key *pk;
+ struct key *key;
int rc;
- rc = calc_file_id_hash(hdr->type, algo, data, &hash);
- if (rc)
- return -EINVAL;
+ if (siglen <= sizeof(*hdr))
+ return -EBADMSG;
+
+ key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid));
+ if (IS_ERR(key))
+ return PTR_ERR(key);
- return asymmetric_verify(keyring, sig, siglen, hash.digest,
- hash.hdr.length);
+ pk = asymmetric_key_public_key(key);
+ if (!strncmp(pk->pkey_algo, "mldsa", 5)) {
+ rc = asymmetric_verify_v3_hashless(key, pk, "raw",
+ sig, siglen, algo, data);
+ } else {
+ rc = calc_file_id_hash(hdr->type, algo, data, &hash);
+ if (rc) {
+ rc = -EINVAL;
+ goto err_exit;
+ }
+
+ rc = asymmetric_verify_common(key, pk, sig, siglen, hash.digest,
+ hash.hdr.length);
+ }
+
+err_exit:
+ key_put(key);
+
+ return rc;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/3] crypto: public_key: Remove check for valid hash_algo for ML-DSA keys
2026-04-05 23:12 ` [PATCH 1/3] crypto: public_key: Remove check for valid hash_algo for ML-DSA keys Stefan Berger
@ 2026-04-06 16:53 ` Eric Biggers
2026-04-08 17:25 ` Stefan Berger
0 siblings, 1 reply; 6+ messages in thread
From: Eric Biggers @ 2026-04-06 16:53 UTC (permalink / raw)
To: Stefan Berger
Cc: linux-integrity, linux-security-module, linux-kernel, zohar,
roberto.sassu, David Howells, Lukas Wunner, Ignat Korchagin,
keyrings, linux-crypto
On Sun, Apr 05, 2026 at 07:12:22PM -0400, Stefan Berger wrote:
> Remove the check for the hash_algo since ML-DSA is only used in pure mode
> and there is no relevance of a hash_algo for the input data.
>
> Cc: David Howells <dhowells@redhat.com>
> Cc: Lukas Wunner <lukas@wunner.de>
> Cc: Ignat Korchagin <ignat@linux.win>
> Cc: keyrings@vger.kernel.org
> Cc: linux-crypto@vger.kernel.org
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> crypto/asymmetric_keys/public_key.c | 5 -----
> 1 file changed, 5 deletions(-)
>
> diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
> index 09a0b83d5d77..df6918a77ab8 100644
> --- a/crypto/asymmetric_keys/public_key.c
> +++ b/crypto/asymmetric_keys/public_key.c
> @@ -147,11 +147,6 @@ software_key_determine_akcipher(const struct public_key *pkey,
> strcmp(pkey->pkey_algo, "mldsa87") == 0) {
> if (strcmp(encoding, "raw") != 0)
> return -EINVAL;
> - if (!hash_algo)
> - return -EINVAL;
> - if (strcmp(hash_algo, "none") != 0 &&
> - strcmp(hash_algo, "sha512") != 0)
> - return -EINVAL;
Does this broaden which hash algorithms are accepted for CMS signatures
that use ML-DSA and contain signed attributes?
- Eric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/3] crypto: public_key: Remove check for valid hash_algo for ML-DSA keys
2026-04-06 16:53 ` Eric Biggers
@ 2026-04-08 17:25 ` Stefan Berger
0 siblings, 0 replies; 6+ messages in thread
From: Stefan Berger @ 2026-04-08 17:25 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-integrity, linux-security-module, linux-kernel, zohar,
roberto.sassu, David Howells, Lukas Wunner, Ignat Korchagin,
keyrings, linux-crypto
On 4/6/26 12:53 PM, Eric Biggers wrote:
> On Sun, Apr 05, 2026 at 07:12:22PM -0400, Stefan Berger wrote:
>> Remove the check for the hash_algo since ML-DSA is only used in pure mode
>> and there is no relevance of a hash_algo for the input data.
>>
>> Cc: David Howells <dhowells@redhat.com>
>> Cc: Lukas Wunner <lukas@wunner.de>
>> Cc: Ignat Korchagin <ignat@linux.win>
>> Cc: keyrings@vger.kernel.org
>> Cc: linux-crypto@vger.kernel.org
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>> crypto/asymmetric_keys/public_key.c | 5 -----
>> 1 file changed, 5 deletions(-)
>>
>> diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
>> index 09a0b83d5d77..df6918a77ab8 100644
>> --- a/crypto/asymmetric_keys/public_key.c
>> +++ b/crypto/asymmetric_keys/public_key.c
>> @@ -147,11 +147,6 @@ software_key_determine_akcipher(const struct public_key *pkey,
>> strcmp(pkey->pkey_algo, "mldsa87") == 0) {
>> if (strcmp(encoding, "raw") != 0)
>> return -EINVAL;
>> - if (!hash_algo)
>> - return -EINVAL;
>> - if (strcmp(hash_algo, "none") != 0 &&
>> - strcmp(hash_algo, "sha512") != 0)
>> - return -EINVAL;
>
> Does this broaden which hash algorithms are accepted for CMS signatures
> that use ML-DSA and contain signed attributes?
Right... dropping this patch and using the "none" route now.
>
> - Eric
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-04-08 17:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-05 23:12 [PATCH 0/3] Add support for ML-DSA signature for EVM and IMA Stefan Berger
2026-04-05 23:12 ` [PATCH 1/3] crypto: public_key: Remove check for valid hash_algo for ML-DSA keys Stefan Berger
2026-04-06 16:53 ` Eric Biggers
2026-04-08 17:25 ` Stefan Berger
2026-04-05 23:12 ` [PATCH 2/3] integrity: Refactor asymmetric_verify for reusability Stefan Berger
2026-04-05 23:12 ` [PATCH 3/3] integrity: Add support for sigv3 verification using ML-DSA keys Stefan Berger
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.