| Message ID | 20260408075540.53309-5-hpa@redhat.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series |
|
| Related | show |
Hi 2026. 04. 08. 9:55 keltezéssel, Kate Hsuan írta: > Add a boolean type "fips" meson option to enable ML-SDA. If fips=false, > the RSA-SHA256 will be used. > > Signed-off-by: Kate Hsuan <hpa@redhat.com> > --- > meson_options.txt | 5 +++++ > src/libcamera/meson.build | 6 ++++++ > src/meson.build | 13 ++++++++++--- > utils/gen-ipa-priv-key.sh | 16 ++++++++++++++-- > 4 files changed, 35 insertions(+), 5 deletions(-) > > diff --git a/meson_options.txt b/meson_options.txt > index c27e377a..c89167fb 100644 > --- a/meson_options.txt > +++ b/meson_options.txt > @@ -26,6 +26,11 @@ option('doc_werror', > value : false, > description : 'Treat documentation warnings as errors') > > +option('fips', > + type : 'boolean', > + value : false, > + description : 'Sign IPA library using ML-DSA (FIPS 204)') I think this is a very cryptic option name. Would it not be clearer to call it "pq-signature" or similar? Or "signature-algo" as a `choice` option with two values? Regards, Barnabás Pőcze > + > option('gstreamer', > type : 'feature', > value : 'auto', > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > index d1594358..aed962c4 100644 > --- a/src/libcamera/meson.build > +++ b/src/libcamera/meson.build > @@ -118,6 +118,12 @@ else > endif > endif > > +# comply with FIPS 204 > +with_fips = get_option('fips') > +if with_fips > + config_h.set('WITH_FIPS', 1) > +endif > + > if not libcrypto.found() > warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > summary({'IPA modules signed with': 'None (modules will run isolated)'}, > diff --git a/src/meson.build b/src/meson.build > index 9b63c8e8..f1493341 100644 > --- a/src/meson.build > +++ b/src/meson.build > @@ -15,11 +15,18 @@ summary({ > }, section : 'Paths') > > # Module Signing > +with_fips = get_option('fips') > openssl = find_program('openssl', required : false) > if openssl.found() > - ipa_priv_key = custom_target('ipa-priv-key', > - output : ['ipa-priv-key.pem'], > - command : [gen_ipa_priv_key, '@OUTPUT@']) > + if with_fips > + ipa_priv_key = custom_target('ipa-priv-key', > + output : ['ipa-priv-key.pem'], > + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@']) > + else > + ipa_priv_key = custom_target('ipa-priv-key', > + output : ['ipa-priv-key.pem'], > + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@']) > + endif > config_h.set('HAVE_IPA_PUBKEY', 1) > ipa_sign_module = true > else > diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh > index 2ca7b883..374377fc 100755 > --- a/utils/gen-ipa-priv-key.sh > +++ b/utils/gen-ipa-priv-key.sh > @@ -6,6 +6,18 @@ > # > # Generate an RSA private key to sign IPA modules > > -key="$1" > +algo="$1" > +key="$2" > > -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > +# Two possible algorithms: RSA and ML-DSA-65 > +# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > +# openssl genpkey -algorithm ML-DSA-65 -out "${key}" > + > +if [ "$algo" == "RSA" ]; then > + openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > +elif [ "$algo" == "ML-DSA-65" ]; then > + openssl genpkey -algorithm ML-DSA-65 -out "${key}" > +else > + echo "Invalid algorithm: $algo" > + exit 1 > +fi > \ No newline at end of file
Hi Barnabás, On Mon, Apr 13, 2026 at 4:43 PM Barnabás Pőcze <barnabas.pocze@ideasonboard.com> wrote: > > Hi > > 2026. 04. 08. 9:55 keltezéssel, Kate Hsuan írta: > > Add a boolean type "fips" meson option to enable ML-SDA. If fips=false, > > the RSA-SHA256 will be used. > > > > Signed-off-by: Kate Hsuan <hpa@redhat.com> > > --- > > meson_options.txt | 5 +++++ > > src/libcamera/meson.build | 6 ++++++ > > src/meson.build | 13 ++++++++++--- > > utils/gen-ipa-priv-key.sh | 16 ++++++++++++++-- > > 4 files changed, 35 insertions(+), 5 deletions(-) > > > > diff --git a/meson_options.txt b/meson_options.txt > > index c27e377a..c89167fb 100644 > > --- a/meson_options.txt > > +++ b/meson_options.txt > > @@ -26,6 +26,11 @@ option('doc_werror', > > value : false, > > description : 'Treat documentation warnings as errors') > > > > +option('fips', > > + type : 'boolean', > > + value : false, > > + description : 'Sign IPA library using ML-DSA (FIPS 204)') > > I think this is a very cryptic option name. Would it not be clearer to > call it "pq-signature" or similar? Or "signature-algo" as a `choice` option > with two values? Good question. Since there are many options for the ml-dsa, such as ml-dsa-44 and ml-dsa-87, a "choice" option is more flexible. If "signature-algo" is used, the option will look like the following example. signature-algo: ml-dsa-65 | rsa-sha254 > > > Regards, > Barnabás Pőcze > > > + > > option('gstreamer', > > type : 'feature', > > value : 'auto', > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > > index d1594358..aed962c4 100644 > > --- a/src/libcamera/meson.build > > +++ b/src/libcamera/meson.build > > @@ -118,6 +118,12 @@ else > > endif > > endif > > > > +# comply with FIPS 204 > > +with_fips = get_option('fips') > > +if with_fips > > + config_h.set('WITH_FIPS', 1) > > +endif > > + > > if not libcrypto.found() > > warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > > summary({'IPA modules signed with': 'None (modules will run isolated)'}, > > diff --git a/src/meson.build b/src/meson.build > > index 9b63c8e8..f1493341 100644 > > --- a/src/meson.build > > +++ b/src/meson.build > > @@ -15,11 +15,18 @@ summary({ > > }, section : 'Paths') > > > > # Module Signing > > +with_fips = get_option('fips') > > openssl = find_program('openssl', required : false) > > if openssl.found() > > - ipa_priv_key = custom_target('ipa-priv-key', > > - output : ['ipa-priv-key.pem'], > > - command : [gen_ipa_priv_key, '@OUTPUT@']) > > + if with_fips > > + ipa_priv_key = custom_target('ipa-priv-key', > > + output : ['ipa-priv-key.pem'], > > + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@']) > > + else > > + ipa_priv_key = custom_target('ipa-priv-key', > > + output : ['ipa-priv-key.pem'], > > + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@']) > > + endif > > config_h.set('HAVE_IPA_PUBKEY', 1) > > ipa_sign_module = true > > else > > diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh > > index 2ca7b883..374377fc 100755 > > --- a/utils/gen-ipa-priv-key.sh > > +++ b/utils/gen-ipa-priv-key.sh > > @@ -6,6 +6,18 @@ > > # > > # Generate an RSA private key to sign IPA modules > > > > -key="$1" > > +algo="$1" > > +key="$2" > > > > -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > +# Two possible algorithms: RSA and ML-DSA-65 > > +# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > +# openssl genpkey -algorithm ML-DSA-65 -out "${key}" > > + > > +if [ "$algo" == "RSA" ]; then > > + openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > +elif [ "$algo" == "ML-DSA-65" ]; then > > + openssl genpkey -algorithm ML-DSA-65 -out "${key}" > > +else > > + echo "Invalid algorithm: $algo" > > + exit 1 > > +fi > > \ No newline at end of file >
diff --git a/meson_options.txt b/meson_options.txt index c27e377a..c89167fb 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -26,6 +26,11 @@ option('doc_werror', value : false, description : 'Treat documentation warnings as errors') +option('fips', + type : 'boolean', + value : false, + description : 'Sign IPA library using ML-DSA (FIPS 204)') + option('gstreamer', type : 'feature', value : 'auto', diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index d1594358..aed962c4 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -118,6 +118,12 @@ else endif endif +# comply with FIPS 204 +with_fips = get_option('fips') +if with_fips + config_h.set('WITH_FIPS', 1) +endif + if not libcrypto.found() warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') summary({'IPA modules signed with': 'None (modules will run isolated)'}, diff --git a/src/meson.build b/src/meson.build index 9b63c8e8..f1493341 100644 --- a/src/meson.build +++ b/src/meson.build @@ -15,11 +15,18 @@ summary({ }, section : 'Paths') # Module Signing +with_fips = get_option('fips') openssl = find_program('openssl', required : false) if openssl.found() - ipa_priv_key = custom_target('ipa-priv-key', - output : ['ipa-priv-key.pem'], - command : [gen_ipa_priv_key, '@OUTPUT@']) + if with_fips + ipa_priv_key = custom_target('ipa-priv-key', + output : ['ipa-priv-key.pem'], + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@']) + else + ipa_priv_key = custom_target('ipa-priv-key', + output : ['ipa-priv-key.pem'], + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@']) + endif config_h.set('HAVE_IPA_PUBKEY', 1) ipa_sign_module = true else diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh index 2ca7b883..374377fc 100755 --- a/utils/gen-ipa-priv-key.sh +++ b/utils/gen-ipa-priv-key.sh @@ -6,6 +6,18 @@ # # Generate an RSA private key to sign IPA modules -key="$1" +algo="$1" +key="$2" -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 +# Two possible algorithms: RSA and ML-DSA-65 +# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 +# openssl genpkey -algorithm ML-DSA-65 -out "${key}" + +if [ "$algo" == "RSA" ]; then + openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 +elif [ "$algo" == "ML-DSA-65" ]; then + openssl genpkey -algorithm ML-DSA-65 -out "${key}" +else + echo "Invalid algorithm: $algo" + exit 1 +fi \ No newline at end of file
Add a boolean type "fips" meson option to enable ML-SDA. If fips=false, the RSA-SHA256 will be used. Signed-off-by: Kate Hsuan <hpa@redhat.com> --- meson_options.txt | 5 +++++ src/libcamera/meson.build | 6 ++++++ src/meson.build | 13 ++++++++++--- utils/gen-ipa-priv-key.sh | 16 ++++++++++++++-- 4 files changed, 35 insertions(+), 5 deletions(-)