Re: [PATCH v2 2/2] integrity: Add support for sigv3 verification using ML-DSA keys

Tue, 14 Apr 2026 19:07:58 -0700 

On Wed, 2026-04-08 at 13:41 -0400, Stefan Berger wrote:
> Add support for sigv3 signature verification using ML-DSA in pure mode.
> When a sigv3 signature is verified, first check whether the key to use
> for verification is an ML-DSA key and therefore uses a hashless signature
> verification scheme. The hashless signature verification method uses the
> ima_file_id structure directly for signature verification rather than
> its digest.
> 
> Suggested-by: Eric Biggers <[email protected]>
> Signed-off-by: Stefan Berger <[email protected]>
> 

Thanks, Stefan.
> ---
> v2: Set hash_algo in public_key_signature to "none"
> ---
>  security/integrity/digsig_asymmetric.c | 84 ++++++++++++++++++++++++--
>  1 file changed, 79 insertions(+), 5 deletions(-)
> 
> diff --git a/security/integrity/digsig_asymmetric.c 
> b/security/integrity/digsig_asymmetric.c
> index e29ed73f15cd..c80cb2b117a6 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -190,17 +190,91 @@ static int calc_file_id_hash(enum evm_ima_xattr_type 
> type,
>       return rc;
>  }
>  
> +/*

kernel-doc starts with "/**".

> + * asymmetric_verify_v3_hashless - Use hashless signature verification on 
> sigv3
> + * @key: The key to use for signature verification
> + * @pk: The associated public key
> + * @encoding: The encoding the key type uses
> + * @sig: The signature
> + * @siglen: The length of the xattr signature
> + * @algo: The hash algorithm
> + * @digest: The file digest
> + *
> + * Create an ima_file_id structure and use it for signature verification
> + * directly. This can be used for ML-DSA in pure mode for example.

Like the comments on 1/2, please add a comment here indicating that all callers
must verify the signature length (siglen) and the public key (pk) is not NULL,
before calling asymmetric_verify_v3_hashless().  Also indicate that the caller
must free the key.

> + */
> +static int asymmetric_verify_v3_hashless(struct key *key,
> +                                      const struct public_key *pk,
> +                                      const char *encoding,
> +                                      const char *sig, int siglen,
> +                                      u8 algo,
> +                                      const u8 *digest)
> +{
> +     struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
> +     struct ima_file_id file_id = {
> +             .hash_type = hdr->type,
> +             .hash_algorithm = algo,
> +     };
> +     size_t digest_size = hash_digest_size[algo];

Defer initializing the digest_size and .m_size, below, until after checking the
hash algorithm is valid. 

> +     struct public_key_signature pks = {
> +             .m = (u8 *)&file_id,
> +             .m_size = sizeof(file_id) - (HASH_MAX_DIGESTSIZE - digest_size),
> +             .s = hdr->sig,
> +             .s_size = siglen - sizeof(*hdr),
> +             .pkey_algo = pk->pkey_algo,
> +             .hash_algo = "none",
> +             .encoding = encoding,
> +     };
> +     int ret;
> +
> +     if (hdr->type != IMA_VERITY_DIGSIG &&
> +         hdr->type != EVM_IMA_XATTR_DIGSIG &&
> +         hdr->type != EVM_XATTR_PORTABLE_DIGSIG)
> +             return -EINVAL;
> +
> +     if (pks.s_size != be16_to_cpu(hdr->sig_size))
> +             return -EBADMSG;
> +
> +     memcpy(file_id.hash, digest, digest_size);

First check the hash algorithm is valid, before using digest_size.

> +
> +     ret = verify_signature(key, &pks);
> +     pr_debug("%s() = %d\n", __func__, ret);
> +     return ret;
> +}
> +
>  int asymmetric_verify_v3(struct key *keyring, const char *sig, int siglen,
>                        const char *data, int datalen, u8 algo)
>  {
>       struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
>       struct ima_max_digest_data hash;
> +     const struct public_key *pk;
> +     struct key *key;
>       int rc;
>  
> -     rc = calc_file_id_hash(hdr->type, algo, data, &hash);
> -     if (rc)
> -             return -EINVAL;
> +     if (siglen <= sizeof(*hdr))
> +             return -EBADMSG;
> +
> +     key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid));
> +     if (IS_ERR(key))
> +             return PTR_ERR(key);
>  
> -     return asymmetric_verify(keyring, sig, siglen, hash.digest,
> -                              hash.hdr.length);
> +     pk = asymmetric_key_public_key(key);

Please add a test to check that 'pk' isn't null.

> +     if (!strncmp(pk->pkey_algo, "mldsa", 5)) {
> +             rc = asymmetric_verify_v3_hashless(key, pk, "raw",
> +                                                sig, siglen, algo, data);
> +     } else {
> +             rc = calc_file_id_hash(hdr->type, algo, data, &hash);
> +             if (rc) {
> +                     rc = -EINVAL;
> +                     goto err_exit;
> +             }
> +
> +             rc = asymmetric_verify_common(key, pk, sig, siglen, hash.digest,
> +                                           hash.hdr.length);
> +     }
> +
> +err_exit:

Normally a label named 'err*' would be preceded by a return.  Here, the label
"err_exit" is always called, not only when there is an error.  Please rename the
label to something more appropriate - out, cleanup, etc.

> +     key_put(key);
> +
> +     return rc;
>  }

thanks,

Mimi

Reply via email to