[4/4] meson: Add "fips" meson option to enable ML-DSA
diff mbox series

Message ID 20260408075540.53309-5-hpa@redhat.com
State New
Headers show
Series
  • Implement ML-DSA-65 for Post-Quantum Cryptographic compliance
Related show

Commit Message

Kate Hsuan April 8, 2026, 7:55 a.m. UTC 
Add a boolean type "fips" meson option to enable ML-SDA. If fips=false,
the RSA-SHA256 will be used.

Signed-off-by: Kate Hsuan <hpa@redhat.com>
---
 meson_options.txt         |  5 +++++
 src/libcamera/meson.build |  6 ++++++
 src/meson.build           | 13 ++++++++++---
 utils/gen-ipa-priv-key.sh | 16 ++++++++++++++--
 4 files changed, 35 insertions(+), 5 deletions(-)

Patch
diff mbox series 

diff --git a/meson_options.txt b/meson_options.txt
index c27e377a..c89167fb 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -26,6 +26,11 @@  option('doc_werror',
         value : false,
         description : 'Treat documentation warnings as errors')
 
+option('fips',
+        type : 'boolean',
+        value : false,
+        description : 'Sign IPA library using ML-DSA (FIPS 204)')
+
 option('gstreamer',
         type : 'feature',
         value : 'auto',
diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build
index d1594358..aed962c4 100644
--- a/src/libcamera/meson.build
+++ b/src/libcamera/meson.build
@@ -118,6 +118,12 @@  else
     endif
 endif
 
+# comply with FIPS 204
+with_fips = get_option('fips')
+if with_fips
+    config_h.set('WITH_FIPS', 1)
+endif
+
 if not libcrypto.found()
     warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')
     summary({'IPA modules signed with': 'None (modules will run isolated)'},
diff --git a/src/meson.build b/src/meson.build
index 9b63c8e8..f1493341 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -15,11 +15,18 @@  summary({
          }, section : 'Paths')
 
 # Module Signing
+with_fips = get_option('fips')
 openssl = find_program('openssl', required : false)
 if openssl.found()
-    ipa_priv_key = custom_target('ipa-priv-key',
-                                 output : ['ipa-priv-key.pem'],
-                                 command : [gen_ipa_priv_key, '@OUTPUT@'])
+    if with_fips
+        ipa_priv_key = custom_target('ipa-priv-key',
+                                     output : ['ipa-priv-key.pem'],
+                                     command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@'])
+    else
+        ipa_priv_key = custom_target('ipa-priv-key',
+                                     output : ['ipa-priv-key.pem'],
+                                     command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@'])
+    endif
     config_h.set('HAVE_IPA_PUBKEY', 1)
     ipa_sign_module = true
 else
diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh
index 2ca7b883..374377fc 100755
--- a/utils/gen-ipa-priv-key.sh
+++ b/utils/gen-ipa-priv-key.sh
@@ -6,6 +6,18 @@ 
 #
 # Generate an RSA private key to sign IPA modules
 
-key="$1"
+algo="$1"
+key="$2"
 
-openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048
+# Two possible algorithms: RSA and ML-DSA-65
+# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048
+# openssl genpkey -algorithm ML-DSA-65 -out "${key}"
+
+if [ "$algo" == "RSA" ]; then
+    openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048
+elif [ "$algo" == "ML-DSA-65" ]; then
+    openssl genpkey -algorithm ML-DSA-65 -out "${key}"
+else
+    echo "Invalid algorithm: $algo"
+    exit 1
+fi
\ No newline at end of file