On Tue, Jan 20, 2026 at 02:50:57PM +0000, David Howells wrote: > Limit the set of crypto combinations that may be used for module signing as > no indication of hash algorithm used for signing is added to the hash of > the data, so in theory a data blob hashed with a different algorithm can be > substituted provided it has the same hash output. > > This also rejects the use of less secure algorithms. > > Signed-off-by: David Howells <[email protected]> > cc: Lukas Wunner <[email protected]> > cc: Ignat Korchagin <[email protected]> > cc: Stephan Mueller <[email protected]> > cc: Eric Biggers <[email protected]> > cc: Herbert Xu <[email protected]> > cc: [email protected] > cc: [email protected] > --- > crypto/asymmetric_keys/public_key.c | 55 +++++++++++++++++++++++++++-- > 1 file changed, 53 insertions(+), 2 deletions(-) > > diff --git a/crypto/asymmetric_keys/public_key.c > b/crypto/asymmetric_keys/public_key.c > index 13a5616becaa..90b98e1a952d 100644 > --- a/crypto/asymmetric_keys/public_key.c > +++ b/crypto/asymmetric_keys/public_key.c > @@ -24,6 +24,52 @@ MODULE_DESCRIPTION("In-software asymmetric public-key > subtype"); > MODULE_AUTHOR("Red Hat, Inc."); > MODULE_LICENSE("GPL"); > > +struct public_key_restriction { > + const char *pkey_algo; /* Signing algorithm (e.g. "rsa") */ > + const char *pkey_enc; /* Signature encoding (e.g. "pkcs1") */ > + const char *hash_algo; /* Content hash algorithm (e.g. > "sha256") */ > +}; > + > +static const struct public_key_restriction public_key_restrictions[] = { > + /* algo encoding hash */ > + { "rsa", "pkcs1", "sha256" }, > + { "rsa", "pkcs1", "sha384" }, > + { "rsa", "pkcs1", "sha512" }, > + { "rsa", "emsa-pss", "sha512" }, > + { "ecdsa", "x962", "sha256" }, > + { "ecdsa", "x962", "sha384" }, > + { "ecdsa", "x962", "sha512" }, > + { "ecrdsa", "raw", "sha256" }, > + { "ecrdsa", "raw", "sha384" }, > + { "ecrdsa", "raw", "sha512" }, > + { "mldsa44", "raw", "sha512" }, > + { "mldsa65", "raw", "sha512" }, > + { "mldsa87", "raw", "sha512" }, > + /* ML-DSA may also do its own hashing over the entire message. */ > + { "mldsa44", "raw", "-" }, > + { "mldsa65", "raw", "-" }, > + { "mldsa87", "raw", "-" }, > +};
Have you read software_key_determine_akcipher()? It's the place where the encoding and hash_algo are validated currently. This commit adds a second set of slightly different checks alongside the existing ones. It's unclear whether the existing checks were considered. Also, the ML-DSA and RSASSA-PSS support is new in this patchset, and this commit is a fix for it. Instead of committing buggy code that is fixed by a later commit, it's preferable to commit correct code in the first place. - Eric
