Add support for ML-DSA PQC keys#38
Merged
mimizohar merged 6 commits intolinux-integrity:next-testingfrom May 5, 2026
Merged
Conversation
stefanberger
force-pushed
the
mldsa
branch
3 times, most recently
from
5a62e8b to
e3c2600
Compare
Add IGNORE_EMBEDDED_FUNCTION name to checkpatch ignore list to suppress the following type of warning: WARNING: Prefer using '"%s...", __func__' to using 'create_sigv3_mldsa', \ this function's name, in a string Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Set the size of an xattr_value that can be read to MAX_SIGNATURE_SIZE so that ML-DSA keys can also be read once enabled (and MAX_SIGNATURE_SIZE gets a larger value). Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix a memory leak by freeing pkey. Have it not report an error message again since an error was already reported. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
OpenSSL >= v3.5.0 supports signing with ML-DSA-44/65/87. Add support for it to the imaevm_create_sigv3 library function. Since the ML-DSA signatures require a lot more space for the signature now, increase the size of the array where the signatures are stored. The following are the sizes of ML-DSA signatures by key type: - ML-DSA-44: 2420 - ML-DSA-65: 3309 - ML-DSA-87: 4627 Prevent signature V2 from being created with any other key types than 'RSA', 'EC', 'GOST' (ECRDSA), or 'SM2'. In the functions that created a v2 signature, only RSA, ECDSA, and ECRDSA signatures are created and they can easily work with the old buffer size of less than 1024 bytes. The size available for extended attributes may be smaller than what is required by the ML-DSA signature size, and therefore may not be possible to store for example ML-DSA-87 signatures (depends on type of filesystem). Nevertheless, extend the MAX_SIGNATURE_SIZE to the required size of ML-DSA-87 and display an error if writing the signature of a size larger than 4k did not work. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the functions creating keys for EVM/IMA signing and the local CA to now also support creating ML-DSA keys. Check for OpenSSL 3.5 since this is the minimum version required when trying to create such keys. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Create ML-DSA-44 & ML-DSA-65 keys if ML-DSA-44 can be created with the installed version of OpenSSL. Add test cases for signing and verifying with these types of keys. Do not test with ML-DSA-87 keys since the signatures they create may be too large for some filesystems' xattrs. On Btrfs for example it would be possible to store the large signatures. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This series adds support for ML-DSA PQC key support to the library and evmctl and adds test cases for signing and verifying to the sign_verfiy.test. It requires availability of OpenSSL 3.5.
This is a continuation of PR #19.