[v2,4/4] meson: Add ipa-signature-algo option
diff mbox series

Message ID 20260422044736.24717-5-hpa@redhat.com
State New
Headers show
Series
  • Implement ML-DSA-65 for Post-Quantum Cryptographic compliance
Related show

Commit Message

Kate Hsuan April 22, 2026, 4:47 a.m. UTC 
Add a combo type "ipa-signature-algo" meson option to select signature
algorithms, including rsa-sha256 and ml-dsa-65.
ras-sha256 is the default setting for now.

Signed-off-by: Kate Hsuan <hpa@redhat.com>
---
 meson_options.txt         |  8 ++++++++
 src/libcamera/meson.build |  6 ++++++
 src/meson.build           | 14 +++++++++++---
 utils/gen-ipa-priv-key.sh | 16 ++++++++++++++--
 4 files changed, 39 insertions(+), 5 deletions(-)

Patch
diff mbox series 

diff --git a/meson_options.txt b/meson_options.txt
index 20baacc4..18488e6b 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -46,6 +46,14 @@  option('gstreamer',
         value : 'auto',
         description : 'Compile libcamera GStreamer plugin')
 
+option('ipa-signature-algo',
+        type : 'combo',
+        choices : [
+            'rsa-sha256',
+            'ml-dsa-65',
+        ],
+        description : 'Select a signature algorithm to sign IPA libraries.')
+
 option('ipas',
         type : 'array',
         choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple',
diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build
index 575408b2..55ba6c6d 100644
--- a/src/libcamera/meson.build
+++ b/src/libcamera/meson.build
@@ -97,6 +97,12 @@  else
     endif
 endif
 
+# comply with FIPS 204
+signature_algo = get_option('ipa-signature-algo')
+if signature_algo == 'ml-dsa-65'
+    config_h.set('WITH_PQC', 1)
+endif
+
 if not libcrypto.found()
     warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')
     summary({'IPA modules signed with': 'None (modules will run isolated)'},
diff --git a/src/meson.build b/src/meson.build
index 9b63c8e8..7f8909b1 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -15,11 +15,19 @@  summary({
          }, section : 'Paths')
 
 # Module Signing
+signature_algo = get_option('ipa-signature-algo')
 openssl = find_program('openssl', required : false)
 if openssl.found()
-    ipa_priv_key = custom_target('ipa-priv-key',
-                                 output : ['ipa-priv-key.pem'],
-                                 command : [gen_ipa_priv_key, '@OUTPUT@'])
+    if signature_algo == 'ml-dsa-65'
+        ipa_priv_key = custom_target('ipa-priv-key',
+                                     output : ['ipa-priv-key.pem'],
+                                     command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@'])
+    endif
+    if signature_algo == 'rsa-sha256'
+        ipa_priv_key = custom_target('ipa-priv-key',
+                                     output : ['ipa-priv-key.pem'],
+                                     command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@'])
+    endif
     config_h.set('HAVE_IPA_PUBKEY', 1)
     ipa_sign_module = true
 else
diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh
index 2ca7b883..374377fc 100755
--- a/utils/gen-ipa-priv-key.sh
+++ b/utils/gen-ipa-priv-key.sh
@@ -6,6 +6,18 @@ 
 #
 # Generate an RSA private key to sign IPA modules
 
-key="$1"
+algo="$1"
+key="$2"
 
-openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048
+# Two possible algorithms: RSA and ML-DSA-65
+# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048
+# openssl genpkey -algorithm ML-DSA-65 -out "${key}"
+
+if [ "$algo" == "RSA" ]; then
+    openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048
+elif [ "$algo" == "ML-DSA-65" ]; then
+    openssl genpkey -algorithm ML-DSA-65 -out "${key}"
+else
+    echo "Invalid algorithm: $algo"
+    exit 1
+fi
\ No newline at end of file