[v4,0/4] Implement ML-DSA-65 for Post-Quantum Cryptographic compliance
mbox series

Message ID 20260701040721.145659-1-hpa@redhat.com
Headers show
Series
  • Implement ML-DSA-65 for Post-Quantum Cryptographic compliance
Related show

Message

Kate Hsuan July 1, 2026, 4:07 a.m. UTC
This patchset integrates the ML-DSA-65 [1] signature algorithm to ensure
Post-Quantum Cryptography (PQC) compliance. Following NIST's finalization
of PQC standards [2], ML-DSA has been established as the primary
quantum-resistant signature standard. As quantum computing advances, legacy
algorithms like RSA are becoming increasingly vulnerable and are slated
for replacement by 2035 [3]. By adopting ML-DSA for IPA library signing,
this work secures the long-term integrity of the IPA library and aligns
libcamera with the latest NIST security frameworks.

[1] https://csrc.nist.gov/pubs/fips/204/final
[2] https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria)]
[3] https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf

Changes in v4:
- Drop conditional compilation for signature algorithms.
- Add utils/check-algo.sh to check if the signature algorithm is
  supported by the library.
- Add error message if the signature algorithm is not supported by the library.
- Delete the existed private key file before generating a new one.
- Replace the RSA verification with EVP_DigestVerify().

Changes in v3:
- Add "utils::scope_exit ctxGuard([&] { EVP_MD_CTX_free(ctx); });"
  and rename the variable name from "ctx_dsa" to "ctx".
- Drop the debug logs from the pub_key.cpp.
- Resolve "[: RSA: unexpected operator" in utils/gen-ipa-priv-key.sh

Changes in v2:
- Change the meson option name from "fips" to "isp-signature-algo".
- Drop the debug print in the pub_key.cpp.
- One line command "openssl pkeyutl" is used to sign the IPA library.

Kate Hsuan (4):
  libcamera: pub_key: Add ML-DSA-65 signature algorithm for PQC
    compliance
  utils: codegen: gen-ipa-pub-key: replace openssl rsa with openssl pkey
  ipa: ipa-sign: Sign IPA according to the signature algorithm of the
    key
  meson: Add ipa-signature-algo option

 meson_options.txt                |  8 ++++++
 src/ipa/ipa-sign.sh              |  2 +-
 src/libcamera/meson.build        | 11 ++++++++
 src/libcamera/pub_key.cpp        | 45 ++++++++++++++++++--------------
 src/meson.build                  |  6 ++++-
 utils/check-algo.sh              | 35 +++++++++++++++++++++++++
 utils/codegen/gen-ipa-pub-key.py |  2 +-
 utils/gen-ipa-priv-key.sh        | 21 ++++++++++++---
 8 files changed, 104 insertions(+), 26 deletions(-)
 create mode 100755 utils/check-algo.sh

--
2.54.0