Skip to content

Commit

Permalink
module: enable automatic module signing with FIPS 202 SHA-3
Browse files Browse the repository at this point in the history 
Add Kconfig options to use SHA-3 for kernel module signing. 256 size
for RSA only, and higher sizes for RSA and NIST P-384.

Signed-off-by: Dimitri John Ledkov <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
  • Loading branch information
@xnox @herbertx
xnox authored and herbertx committed Oct 27, 2023
1 parent fdb4f66 commit 446b1e0
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
2 changes: 1 addition & 1 deletion certs/Kconfig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ config MODULE_SIG_KEY_TYPE_RSA
config MODULE_SIG_KEY_TYPE_ECDSA
bool "ECDSA"
select CRYPTO_ECDSA
depends on MODULE_SIG_SHA384 || MODULE_SIG_SHA512
depends on !(MODULE_SIG_SHA256 || MODULE_SIG_SHA3_256)
help
Use an elliptic curve key (NIST P384) for module signing. Use
a strong hash of same or higher bit length, i.e. sha384 or
Expand Down
15 changes: 15 additions & 0 deletions kernel/module/Kconfig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,18 @@ config MODULE_SIG_SHA512
bool "Sign modules with SHA-512"
select CRYPTO_SHA512

config MODULE_SIG_SHA3_256
bool "Sign modules with SHA3-256"
select CRYPTO_SHA3

config MODULE_SIG_SHA3_384
bool "Sign modules with SHA3-384"
select CRYPTO_SHA3

config MODULE_SIG_SHA3_512
bool "Sign modules with SHA3-512"
select CRYPTO_SHA3

endchoice

config MODULE_SIG_HASH
Expand All @@ -256,6 +268,9 @@ config MODULE_SIG_HASH
default "sha256" if MODULE_SIG_SHA256
default "sha384" if MODULE_SIG_SHA384
default "sha512" if MODULE_SIG_SHA512
default "sha3-256" if MODULE_SIG_SHA3_256
default "sha3-384" if MODULE_SIG_SHA3_384
default "sha3-512" if MODULE_SIG_SHA3_512

choice
prompt "Module compression mode"
Expand Down

0 comments on commit 446b1e0

Please sign in to comment.