| Message ID | 20210324121525.16062-1-tianjia.zhang@linux.alibaba.com |
|---|---|
| Headers | show |
| Series | support sign module with SM2-with-SM3 algorithm | expand |
ping. Thanks, Tianjia On 3/24/21 8:15 PM, Tianjia Zhang wrote: > The kernel module signature supports the option to use the SM3 secure > hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs. > The former is used for signing and the latter is used for hash > calculation. > > To sign a kernel module, first, prepare openssl 3.0.0 alpha6 and a > configuration file openssl.cnf with the following content: > > [ req ] > default_bits = 2048 > distinguished_name = req_distinguished_name > prompt = no > string_mask = utf8only > x509_extensions = v3_req > > [ req_distinguished_name ] > C = CN > ST = HangZhou > L = foo > O = Test > OU = Test > CN = Test key > emailAddress = test@foo.com > > [ v3_req ] > basicConstraints=critical,CA:FALSE > keyUsage=digitalSignature > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid:always > > Then we can use the following method to sign module with SM2-with-SM3 > algorithm combination: > > # generate CA key and self-signed CA certificate > openssl ecparam -genkey -name SM2 -text -out ca.key > openssl req -new -x509 -days 3650 -key ca.key \ > -sm3 -sigopt "distid:1234567812345678" \ > -subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=ca@foo.com" \ > -config openssl.cnf -out ca.crt > > # generate SM2 private key and sign request > openssl ecparam -genkey -name SM2 -text -out private.pem > openssl req -new -key private.pem -config openssl.cnf \ > -sm3 -sigopt "distid:1234567812345678" -out csr.pem > > # generate SM2-with-SM3 certificate signed by CA > openssl x509 -req -days 3650 -sm3 -in csr.pem \ > -sigopt "distid:1234567812345678" \ > -vfyopt "distid:1234567812345678" \ > -CA ca.crt -CAkey ca.key -CAcreateserial \ > -extfile openssl.cnf -extensions v3_req \ > -out cert.pem > > # sign module with SM2-with-SM3 algorithm > sign-file sm3 private.pem cert.pem test.ko test.ko.signed > > At this point, we should built the CA certificate into the kernel, and > then we can load the SM2-with-SM3 signed module normally. > > --- > v2 change: > - split one patch into twos. > - richer commit log. > > Tianjia Zhang (2): > pkcs7: make parser enable SM2 and SM3 algorithms combination > init/Kconfig: support sign module with SM2-with-SM3 algorithm > > Documentation/admin-guide/module-signing.rst | 5 +++-- > crypto/asymmetric_keys/pkcs7_parser.c | 7 +++++++ > init/Kconfig | 5 +++++ > 3 files changed, 15 insertions(+), 2 deletions(-) >
The kernel module signature supports the option to use the SM3 secure hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs. The former is used for signing and the latter is used for hash calculation. To sign a kernel module, first, prepare openssl 3.0.0 alpha6 and a configuration file openssl.cnf with the following content: [ req ] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = v3_req [ req_distinguished_name ] C = CN ST = HangZhou L = foo O = Test OU = Test CN = Test key emailAddress = test@foo.com [ v3_req ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always Then we can use the following method to sign module with SM2-with-SM3 algorithm combination: # generate CA key and self-signed CA certificate openssl ecparam -genkey -name SM2 -text -out ca.key openssl req -new -x509 -days 3650 -key ca.key \ -sm3 -sigopt "distid:1234567812345678" \ -subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=ca@foo.com" \ -config openssl.cnf -out ca.crt # generate SM2 private key and sign request openssl ecparam -genkey -name SM2 -text -out private.pem openssl req -new -key private.pem -config openssl.cnf \ -sm3 -sigopt "distid:1234567812345678" -out csr.pem # generate SM2-with-SM3 certificate signed by CA openssl x509 -req -days 3650 -sm3 -in csr.pem \ -sigopt "distid:1234567812345678" \ -vfyopt "distid:1234567812345678" \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile openssl.cnf -extensions v3_req \ -out cert.pem # sign module with SM2-with-SM3 algorithm sign-file sm3 private.pem cert.pem test.ko test.ko.signed At this point, we should built the CA certificate into the kernel, and then we can load the SM2-with-SM3 signed module normally. --- v2 change: - split one patch into twos. - richer commit log. Tianjia Zhang (2): pkcs7: make parser enable SM2 and SM3 algorithms combination init/Kconfig: support sign module with SM2-with-SM3 algorithm Documentation/admin-guide/module-signing.rst | 5 +++-- crypto/asymmetric_keys/pkcs7_parser.c | 7 +++++++ init/Kconfig | 5 +++++ 3 files changed, 15 insertions(+), 2 deletions(-)