From: Jarkko Sakkinen <jarkko@kernel.org>
To: David Howells <dhowells@redhat.com>
Cc: Lukas Wunner <lukas@wunner.de>,
Ignat Korchagin <ignat@cloudflare.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Eric Biggers <ebiggers@kernel.org>,
Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
Daniel Gomez <da.gomez@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Ard Biesheuvel <ardb@kernel.org>,
Stephan Mueller <smueller@chronox.de>,
linux-crypto@vger.kernel.org, keyrings@vger.kernel.org,
linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v13 01/12] crypto: Add ML-DSA crypto_sig support
Date: Tue, 20 Jan 2026 19:37:51 +0200 [thread overview]
Message-ID: <aW-9b0JO_FX3P__b@kernel.org> (raw)
In-Reply-To: <20260120145103.1176337-2-dhowells@redhat.com>
On Tue, Jan 20, 2026 at 02:50:47PM +0000, David Howells wrote:
> Add verify-only public key crypto support for ML-DSA so that the
> X.509/PKCS#7 signature verification code, as used by module signing,
> amongst other things, can make use of it through the common crypto_sig API.
>
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: Eric Biggers <ebiggers@kernel.org>
> cc: Lukas Wunner <lukas@wunner.de>
> cc: Ignat Korchagin <ignat@cloudflare.com>
> cc: Stephan Mueller <smueller@chronox.de>
> cc: Herbert Xu <herbert@gondor.apana.org.au>
> cc: keyrings@vger.kernel.org
> cc: linux-crypto@vger.kernel.org
> ---
> crypto/Kconfig | 10 +++
> crypto/Makefile | 2 +
> crypto/mldsa.c | 201 ++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 213 insertions(+)
> create mode 100644 crypto/mldsa.c
>
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index 12a87f7cf150..8dd5c6660c5a 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -344,6 +344,16 @@ config CRYPTO_ECRDSA
> One of the Russian cryptographic standard algorithms (called GOST
> algorithms). Only signature verification is implemented.
>
> +config CRYPTO_MLDSA
> + tristate "ML-DSA (Module-Lattice-Based Digital Signature Algorithm)"
> + select CRYPTO_SIG
> + select CRYPTO_LIB_MLDSA
> + select CRYPTO_LIB_SHA3
> + help
> + ML-DSA (Module-Lattice-Based Digital Signature Algorithm) (FIPS-204).
> +
> + Only signature verification is implemented.
> +
> endmenu
>
> menu "Block ciphers"
> diff --git a/crypto/Makefile b/crypto/Makefile
> index 23d3db7be425..267d5403045b 100644
> --- a/crypto/Makefile
> +++ b/crypto/Makefile
> @@ -60,6 +60,8 @@ ecdsa_generic-y += ecdsa-p1363.o
> ecdsa_generic-y += ecdsasignature.asn1.o
> obj-$(CONFIG_CRYPTO_ECDSA) += ecdsa_generic.o
>
> +obj-$(CONFIG_CRYPTO_MLDSA) += mldsa.o
> +
> crypto_acompress-y := acompress.o
> crypto_acompress-y += scompress.o
> obj-$(CONFIG_CRYPTO_ACOMP2) += crypto_acompress.o
> diff --git a/crypto/mldsa.c b/crypto/mldsa.c
> new file mode 100644
> index 000000000000..2146c774b5ca
> --- /dev/null
> +++ b/crypto/mldsa.c
> @@ -0,0 +1,201 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * crypto_sig wrapper around ML-DSA library.
> + */
> +#include <linux/init.h>
> +#include <linux/module.h>
> +#include <crypto/internal/sig.h>
> +#include <crypto/mldsa.h>
> +
> +struct crypto_mldsa_ctx {
> + u8 pk[MAX(MAX(MLDSA44_PUBLIC_KEY_SIZE,
> + MLDSA65_PUBLIC_KEY_SIZE),
> + MLDSA87_PUBLIC_KEY_SIZE)];
> + unsigned int pk_len;
> + enum mldsa_alg strength;
> + u8 key_set;
> +};
> +
> +static int crypto_mldsa_sign(struct crypto_sig *tfm,
> + const void *msg, unsigned int msg_len,
> + void *sig, unsigned int sig_len)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +static int crypto_mldsa_verify(struct crypto_sig *tfm,
> + const void *sig, unsigned int sig_len,
> + const void *msg, unsigned int msg_len)
> +{
> + const struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> + if (unlikely(!ctx->key_set))
> + return -EINVAL;
> +
> + return mldsa_verify(ctx->strength, sig, sig_len, msg, msg_len,
> + ctx->pk, ctx->pk_len);
> +}
> +
> +static unsigned int crypto_mldsa_key_size(struct crypto_sig *tfm)
> +{
> + struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> + switch (ctx->strength) {
> + case MLDSA44:
> + return MLDSA44_PUBLIC_KEY_SIZE;
> + case MLDSA65:
> + return MLDSA65_PUBLIC_KEY_SIZE;
> + case MLDSA87:
> + return MLDSA87_PUBLIC_KEY_SIZE;
> + default:
> + WARN_ON_ONCE(1);
> + return 0;
> + }
> +}
> +
> +static int crypto_mldsa_set_pub_key(struct crypto_sig *tfm,
> + const void *key, unsigned int keylen)
> +{
> + struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> + unsigned int expected_len = crypto_mldsa_key_size(tfm);
> +
> + if (keylen != expected_len)
> + return -EINVAL;
> +
> + ctx->pk_len = keylen;
> + memcpy(ctx->pk, key, keylen);
> + ctx->key_set = true;
> + return 0;
> +}
> +
> +static int crypto_mldsa_set_priv_key(struct crypto_sig *tfm,
> + const void *key, unsigned int keylen)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +static unsigned int crypto_mldsa_max_size(struct crypto_sig *tfm)
> +{
> + struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> + switch (ctx->strength) {
> + case MLDSA44:
> + return MLDSA44_SIGNATURE_SIZE;
> + case MLDSA65:
> + return MLDSA65_SIGNATURE_SIZE;
> + case MLDSA87:
> + return MLDSA87_SIGNATURE_SIZE;
> + default:
> + WARN_ON_ONCE(1);
> + return 0;
> + }
> +}
> +
> +static int crypto_mldsa44_alg_init(struct crypto_sig *tfm)
> +{
> + struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> + ctx->strength = MLDSA44;
> + ctx->key_set = false;
> + return 0;
> +}
> +
> +static int crypto_mldsa65_alg_init(struct crypto_sig *tfm)
> +{
> + struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> + ctx->strength = MLDSA65;
> + ctx->key_set = false;
> + return 0;
> +}
> +
> +static int crypto_mldsa87_alg_init(struct crypto_sig *tfm)
> +{
> + struct crypto_mldsa_ctx *ctx = crypto_sig_ctx(tfm);
> +
> + ctx->strength = MLDSA87;
> + ctx->key_set = false;
> + return 0;
> +}
> +
> +static void crypto_mldsa_alg_exit(struct crypto_sig *tfm)
> +{
> +}
> +
> +static struct sig_alg crypto_mldsa_algs[] = {
> + {
> + .sign = crypto_mldsa_sign,
> + .verify = crypto_mldsa_verify,
> + .set_pub_key = crypto_mldsa_set_pub_key,
> + .set_priv_key = crypto_mldsa_set_priv_key,
> + .key_size = crypto_mldsa_key_size,
> + .max_size = crypto_mldsa_max_size,
> + .init = crypto_mldsa44_alg_init,
> + .exit = crypto_mldsa_alg_exit,
> + .base.cra_name = "mldsa44",
> + .base.cra_driver_name = "mldsa44-lib",
> + .base.cra_ctxsize = sizeof(struct crypto_mldsa_ctx),
> + .base.cra_module = THIS_MODULE,
> + .base.cra_priority = 5000,
> + }, {
> + .sign = crypto_mldsa_sign,
> + .verify = crypto_mldsa_verify,
> + .set_pub_key = crypto_mldsa_set_pub_key,
> + .set_priv_key = crypto_mldsa_set_priv_key,
> + .key_size = crypto_mldsa_key_size,
> + .max_size = crypto_mldsa_max_size,
> + .init = crypto_mldsa65_alg_init,
> + .exit = crypto_mldsa_alg_exit,
> + .base.cra_name = "mldsa65",
> + .base.cra_driver_name = "mldsa65-lib",
> + .base.cra_ctxsize = sizeof(struct crypto_mldsa_ctx),
> + .base.cra_module = THIS_MODULE,
> + .base.cra_priority = 5000,
> + }, {
> + .sign = crypto_mldsa_sign,
> + .verify = crypto_mldsa_verify,
> + .set_pub_key = crypto_mldsa_set_pub_key,
> + .set_priv_key = crypto_mldsa_set_priv_key,
> + .key_size = crypto_mldsa_key_size,
> + .max_size = crypto_mldsa_max_size,
> + .init = crypto_mldsa87_alg_init,
> + .exit = crypto_mldsa_alg_exit,
> + .base.cra_name = "mldsa87",
> + .base.cra_driver_name = "mldsa87-lib",
> + .base.cra_ctxsize = sizeof(struct crypto_mldsa_ctx),
> + .base.cra_module = THIS_MODULE,
> + .base.cra_priority = 5000,
> + },
> +};
> +
> +static int __init mldsa_init(void)
> +{
> + int ret, i;
> +
> + for (i = 0; i < ARRAY_SIZE(crypto_mldsa_algs); i++) {
> + ret = crypto_register_sig(&crypto_mldsa_algs[i]);
> + if (ret < 0)
> + goto error;
> + }
> + return 0;
> +
> +error:
> + pr_err("Failed to register (%d)\n", ret);
> + for (i--; i >= 0; i--)
> + crypto_unregister_sig(&crypto_mldsa_algs[i]);
> + return ret;
> +}
> +module_init(mldsa_init);
> +
> +static void mldsa_exit(void)
> +{
> + for (int i = 0; i < ARRAY_SIZE(crypto_mldsa_algs); i++)
> + crypto_unregister_sig(&crypto_mldsa_algs[i]);
> +}
> +module_exit(mldsa_exit);
> +
> +MODULE_LICENSE("GPL");
> +MODULE_DESCRIPTION("Crypto API support for ML-DSA signature verification");
> +MODULE_ALIAS_CRYPTO("mldsa44");
> +MODULE_ALIAS_CRYPTO("mldsa65");
> +MODULE_ALIAS_CRYPTO("mldsa87");
>
Went through it, not much else to say, as it just binds the callbacks:
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
next prev parent reply other threads:[~2026-01-20 17:37 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-20 14:50 [PATCH v13 00/12] x509, pkcs7, crypto: Add ML-DSA and RSASSA-PSS signing David Howells
2026-01-20 14:50 ` [PATCH v13 01/12] crypto: Add ML-DSA crypto_sig support David Howells
2026-01-20 17:37 ` Jarkko Sakkinen [this message]
2026-01-20 20:52 ` Eric Biggers
2026-01-20 14:50 ` [PATCH v13 02/12] pkcs7: Allow the signing algo to calculate the digest itself David Howells
2026-01-20 17:53 ` Jarkko Sakkinen
2026-01-21 12:31 ` David Howells
2026-01-24 11:46 ` Jarkko Sakkinen
2026-01-20 21:12 ` Eric Biggers
2026-01-23 11:37 ` David Howells
2026-01-20 14:50 ` [PATCH v13 03/12] pkcs7: Allow direct signing of data with ML-DSA David Howells
2026-01-20 14:50 ` [PATCH v13 04/12] pkcs7, x509: Add ML-DSA support David Howells
2026-01-20 21:17 ` Eric Biggers
2026-01-20 14:50 ` [PATCH v13 05/12] modsign: Enable ML-DSA module signing David Howells
2026-01-20 21:38 ` Eric Biggers
2026-01-21 14:21 ` David Howells
2026-01-20 14:50 ` [PATCH v13 06/12] crypto: Add supplementary info param to asymmetric key signature verification David Howells
2026-01-20 14:50 ` [PATCH v13 07/12] crypto: Add RSASSA-PSS support David Howells
2026-01-20 22:41 ` Eric Biggers
2026-01-20 23:15 ` David Howells
2026-01-20 23:36 ` Eric Biggers
2026-01-21 8:11 ` Ignat Korchagin
2026-01-21 2:14 ` Eric Biggers
2026-01-21 8:15 ` Ignat Korchagin
2026-01-20 14:50 ` [PATCH v13 08/12] pkcs7, x509: " David Howells
2026-01-20 14:50 ` [PATCH v13 09/12] modsign: Enable RSASSA-PSS module signing David Howells
2026-01-20 14:50 ` [PATCH v13 10/12] pkcs7: Add FIPS selftest for RSASSA-PSS David Howells
2026-01-20 14:50 ` [PATCH v13 11/12] x509, pkcs7: Limit crypto combinations that may be used for module signing David Howells
2026-01-20 18:31 ` Ignat Korchagin
2026-01-20 18:54 ` David Howells
2026-01-20 21:51 ` Vitaly Chikunov
2026-01-20 23:18 ` David Howells
2026-01-20 22:14 ` Eric Biggers
2026-01-20 14:50 ` [PATCH v13 12/12] pkcs7: Add ML-DSA FIPS selftest David Howells
2026-01-20 17:54 ` Jarkko Sakkinen
2026-01-20 17:55 ` Jarkko Sakkinen
2026-01-20 21:43 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aW-9b0JO_FX3P__b@kernel.org \
--to=jarkko@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=da.gomez@kernel.org \
--cc=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mcgrof@kernel.org \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox