kernel/linux.git/certs/Makefile, branch v7.0-rc7

modsign: Enable ML-DSA module signing

2026-02-02T16:57:39+00:00

Allow ML-DSA module signing to be enabled. Note that OpenSSL's CMS_*() function suite does not, as of OpenSSL-3.6, support the use of CMS_NOATTR with ML-DSA, so the prohibition against using signedAttrs with module signing has to be removed. The selected digest then applies only to the algorithm used to calculate the digest stored in the messageDigest attribute. The OpenSSL development branch has patches applied that fix this[1], but it appears that that will only be available in OpenSSL-4. [1] https://github.com/openssl/openssl/pull/28923 sign-file won't set CMS_NOATTR if openssl is earlier than v4, resulting in the use of signed attributes. The ML-DSA algorithm takes the raw data to be signed without regard to what digest algorithm is specified in the CMS message. The CMS specified digest algorithm is ignored unless signedAttrs are used; in such a case, only SHA512 is permitted. Signed-off-by: David Howells cc: Jarkko Sakkinen cc: Eric Biggers cc: Lukas Wunner cc: Ignat Korchagin cc: Stephan Mueller cc: Herbert Xu cc: keyrings@vger.kernel.org cc: linux-crypto@vger.kernel.org

sign-file,extract-cert: move common SSL helper functions to a header

2024-09-20T16:49:52+00:00

Couple error handling helpers are repeated in both tools, so move them to a common header. Signed-off-by: Jan Stancek Reviewed-by: Jarkko Sakkinen Tested-by: R Nageswara Sastry Reviewed-by: Neal Gompa Signed-off-by: Jarkko Sakkinen

kbuild: use $(src) instead of $(srctree)/$(src) for source directory

2024-05-09T19:34:52+00:00

Kbuild conventionally uses $(obj)/ for generated files, and $(src)/ for checked-in source files. It is merely a convention without any functional difference. In fact, $(obj) and $(src) are exactly the same, as defined in scripts/Makefile.build: src := $(obj) When the kernel is built in a separate output directory, $(src) does not accurately reflect the source directory location. While Kbuild resolves this discrepancy by specifying VPATH=$(srctree) to search for source files, it does not cover all cases. For example, when adding a header search path for local headers, -I$(srctree)/$(src) is typically passed to the compiler. This introduces inconsistency between upstream and downstream Makefiles because $(src) is used instead of $(srctree)/$(src) for the latter. To address this inconsistency, this commit changes the semantics of $(src) so that it always points to the directory in the source tree. Going forward, the variables used in Makefiles will have the following meanings: $(obj) - directory in the object tree $(src) - directory in the source tree (changed by this commit) $(objtree) - the top of the kernel object tree $(srctree) - the top of the kernel source tree Consequently, $(srctree)/$(src) in upstream Makefiles need to be replaced with $(src). Signed-off-by: Masahiro Yamada Reviewed-by: Nicolas Schier

certs: Fix build error when PKCS#11 URI contains semicolon

2023-01-31T08:53:01+00:00

When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a semicolon, signing_key.x509 fails to build: certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 Usage: extract-cert Add quotes to the extract-cert argument to avoid splitting by the shell. This approach was suggested by Masahiro Yamada . Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") Signed-off-by: Jan Luebbe Signed-off-by: Masahiro Yamada

certs: unify blacklist_hashes.c and blacklist_nohashes.c

2022-07-27T12:17:59+00:00

These two files are very similar. Unify them. Signed-off-by: Masahiro Yamada Reviewed-by: Mickaël Salaün Reviewed-by: Jarkko Sakkinen

certs: move scripts/check-blacklist-hashes.awk to certs/

2022-07-27T12:17:59+00:00

This script is only used in certs/Makefile, so certs/ is a better home for it. Signed-off-by: Masahiro Yamada Reviewed-by: Mickaël Salaün Reviewed-by: Jarkko Sakkinen

Merge tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

2022-06-21T17:13:53+00:00

Pull signature checking selftest from David Howells: "The signature checking code, as used by module signing, kexec, etc., is non-FIPS compliant as there is no selftest. For a kernel to be FIPS-compliant, signature checking would have to be tested before being used, and the box would need to panic if it's not available (probably reasonable as simply disabling signature checking would prevent you from loading any driver modules). Deal with this by adding a minimal test. This is split into two patches: the first moves load_certificate_list() to the same place as the X.509 code to make it more accessible internally; the second adds a selftest" * tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: certs: Add FIPS selftests certs: Move load_certificate_list() to be with the asymmetric keys code

certs: Move load_certificate_list() to be with the asymmetric keys code

2022-06-21T15:05:06+00:00

Move load_certificate_list(), which loads a series of binary X.509 certificates from a blob and inserts them as keys into a keyring, to be with the asymmetric keys code that it drives. This makes it easier to add FIPS selftest code in which we need to load up a private keyring for the tests to use. Signed-off-by: David Howells Reviewed-by: Simo Sorce Reviewed-by: Herbert Xu cc: keyrings@vger.kernel.org cc: linux-crypto@vger.kernel.org Link: https://lore.kernel.org/r/165515742145.1554877.13488098107542537203.stgit@warthog.procyon.org.uk/

certs: fix and refactor CONFIG_SYSTEM_BLACKLIST_HASH_LIST build

2022-06-15T18:52:32+00:00

Commit addf466389d9 ("certs: Check that builtin blacklist hashes are valid") was applied 8 months after the submission. In the meantime, the base code had been removed by commit b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro"). Fix the Makefile. Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is included from certs/blacklist_hashes.c and also works as a timestamp. Send error messages from check-blacklist-hashes.awk to stderr instead of stdout. Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") Signed-off-by: Masahiro Yamada Reviewed-by: Jarkko Sakkinen Reviewed-by: Mickaël Salaün Signed-off-by: Jarkko Sakkinen

certs: Convert spaces in certs/Makefile to a tab

2022-06-10T18:42:02+00:00

There's a rule in certs/Makefile for which the command begins with eight spaces. This results in: ../certs/Makefile:21: FORCE prerequisite is missing ../certs/Makefile:21: *** missing separator. Stop. Fix this by turning the spaces into a tab. Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") Signed-off-by: David Howells Reviewed-by: Jarkko Sakkinen Reviewed-by: Mickaël Salaün cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/486b1b80-9932-aab6-138d-434c541c934a@digikod.net/ # v1 Signed-off-by: Linus Torvalds