From: David Howells <dhowells@redhat.com>
To: Lukas Wunner <lukas@wunner.de>, Ignat Korchagin <ignat@cloudflare.com>
Cc: David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Eric Biggers <ebiggers@kernel.org>,
Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
Daniel Gomez <da.gomez@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Ard Biesheuvel <ardb@kernel.org>,
Stephan Mueller <smueller@chronox.de>,
linux-crypto@vger.kernel.org, keyrings@vger.kernel.org,
linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v13 11/12] x509, pkcs7: Limit crypto combinations that may be used for module signing
Date: Tue, 20 Jan 2026 14:50:57 +0000 [thread overview]
Message-ID: <20260120145103.1176337-12-dhowells@redhat.com> (raw)
In-Reply-To: <20260120145103.1176337-1-dhowells@redhat.com>
Limit the set of crypto combinations that may be used for module signing as
no indication of hash algorithm used for signing is added to the hash of
the data, so in theory a data blob hashed with a different algorithm can be
substituted provided it has the same hash output.
This also rejects the use of less secure algorithms.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Lukas Wunner <lukas@wunner.de>
cc: Ignat Korchagin <ignat@cloudflare.com>
cc: Stephan Mueller <smueller@chronox.de>
cc: Eric Biggers <ebiggers@kernel.org>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org
---
crypto/asymmetric_keys/public_key.c | 55 +++++++++++++++++++++++++++--
1 file changed, 53 insertions(+), 2 deletions(-)
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 13a5616becaa..90b98e1a952d 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -24,6 +24,52 @@ MODULE_DESCRIPTION("In-software asymmetric public-key subtype");
MODULE_AUTHOR("Red Hat, Inc.");
MODULE_LICENSE("GPL");
+struct public_key_restriction {
+ const char *pkey_algo; /* Signing algorithm (e.g. "rsa") */
+ const char *pkey_enc; /* Signature encoding (e.g. "pkcs1") */
+ const char *hash_algo; /* Content hash algorithm (e.g. "sha256") */
+};
+
+static const struct public_key_restriction public_key_restrictions[] = {
+ /* algo encoding hash */
+ { "rsa", "pkcs1", "sha256" },
+ { "rsa", "pkcs1", "sha384" },
+ { "rsa", "pkcs1", "sha512" },
+ { "rsa", "emsa-pss", "sha512" },
+ { "ecdsa", "x962", "sha256" },
+ { "ecdsa", "x962", "sha384" },
+ { "ecdsa", "x962", "sha512" },
+ { "ecrdsa", "raw", "sha256" },
+ { "ecrdsa", "raw", "sha384" },
+ { "ecrdsa", "raw", "sha512" },
+ { "mldsa44", "raw", "sha512" },
+ { "mldsa65", "raw", "sha512" },
+ { "mldsa87", "raw", "sha512" },
+ /* ML-DSA may also do its own hashing over the entire message. */
+ { "mldsa44", "raw", "-" },
+ { "mldsa65", "raw", "-" },
+ { "mldsa87", "raw", "-" },
+};
+
+/*
+ * Determine if a particular key/hash combination is allowed.
+ */
+static int is_public_key_sig_allowed(const struct public_key_signature *sig)
+{
+ for (int i = 0; i < ARRAY_SIZE(public_key_restrictions); i++) {
+ if (strcmp(public_key_restrictions[i].pkey_algo, sig->pkey_algo) != 0)
+ continue;
+ if (strcmp(public_key_restrictions[i].pkey_enc, sig->encoding) != 0)
+ continue;
+ if (strcmp(public_key_restrictions[i].hash_algo, sig->hash_algo) != 0)
+ continue;
+ return 0;
+ }
+ pr_warn_once("Public key signature combo (%s,%s,%s) rejected\n",
+ sig->pkey_algo, sig->encoding, sig->hash_algo);
+ return -EKEYREJECTED;
+}
+
/*
* Provide a part of a description of the key for /proc/keys.
*/
@@ -391,12 +437,17 @@ int public_key_verify_signature(const struct public_key *pkey,
bool issig;
int ret;
- pr_devel("==>%s()\n", __func__);
-
BUG_ON(!pkey);
BUG_ON(!sig);
BUG_ON(!sig->s);
+ ret = is_public_key_sig_allowed(sig);
+ if (ret < 0)
+ return ret;
+
+ pr_devel("==>%s(%s,%s,%s)\n",
+ __func__, sig->pkey_algo, sig->encoding, sig->hash_algo);
+
/*
* If the signature specifies a public key algorithm, it *must* match
* the key's actual public key algorithm.
next prev parent reply other threads:[~2026-01-20 14:52 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-20 14:50 [PATCH v13 00/12] x509, pkcs7, crypto: Add ML-DSA and RSASSA-PSS signing David Howells
2026-01-20 14:50 ` [PATCH v13 01/12] crypto: Add ML-DSA crypto_sig support David Howells
2026-01-20 17:37 ` Jarkko Sakkinen
2026-01-20 20:52 ` Eric Biggers
2026-01-20 14:50 ` [PATCH v13 02/12] pkcs7: Allow the signing algo to calculate the digest itself David Howells
2026-01-20 17:53 ` Jarkko Sakkinen
2026-01-21 12:31 ` David Howells
2026-01-24 11:46 ` Jarkko Sakkinen
2026-01-20 21:12 ` Eric Biggers
2026-01-23 11:37 ` David Howells
2026-01-20 14:50 ` [PATCH v13 03/12] pkcs7: Allow direct signing of data with ML-DSA David Howells
2026-01-20 14:50 ` [PATCH v13 04/12] pkcs7, x509: Add ML-DSA support David Howells
2026-01-20 21:17 ` Eric Biggers
2026-01-20 14:50 ` [PATCH v13 05/12] modsign: Enable ML-DSA module signing David Howells
2026-01-20 21:38 ` Eric Biggers
2026-01-21 14:21 ` David Howells
2026-01-20 14:50 ` [PATCH v13 06/12] crypto: Add supplementary info param to asymmetric key signature verification David Howells
2026-01-20 14:50 ` [PATCH v13 07/12] crypto: Add RSASSA-PSS support David Howells
2026-01-20 22:41 ` Eric Biggers
2026-01-20 23:15 ` David Howells
2026-01-20 23:36 ` Eric Biggers
2026-01-21 8:11 ` Ignat Korchagin
2026-01-21 2:14 ` Eric Biggers
2026-01-21 8:15 ` Ignat Korchagin
2026-01-20 14:50 ` [PATCH v13 08/12] pkcs7, x509: " David Howells
2026-01-20 14:50 ` [PATCH v13 09/12] modsign: Enable RSASSA-PSS module signing David Howells
2026-01-20 14:50 ` [PATCH v13 10/12] pkcs7: Add FIPS selftest for RSASSA-PSS David Howells
2026-01-20 14:50 ` David Howells [this message]
2026-01-20 18:31 ` [PATCH v13 11/12] x509, pkcs7: Limit crypto combinations that may be used for module signing Ignat Korchagin
2026-01-20 18:54 ` David Howells
2026-01-20 21:51 ` Vitaly Chikunov
2026-01-20 23:18 ` David Howells
2026-01-20 22:14 ` Eric Biggers
2026-01-20 14:50 ` [PATCH v13 12/12] pkcs7: Add ML-DSA FIPS selftest David Howells
2026-01-20 17:54 ` Jarkko Sakkinen
2026-01-20 17:55 ` Jarkko Sakkinen
2026-01-20 21:43 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260120145103.1176337-12-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=da.gomez@kernel.org \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mcgrof@kernel.org \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox