On October 25, a developer posted that the SM2 national secret algorithm was finally accepted by the Linux kernel community. The author stated that the SM2 patch has been updated to version v7. This version of the patch was finally accepted by the community. It has been merged into the 5.10-rc1 of the Linux mainline . If nothing else , it will be officially released in the 5.10 kernel version.
National Secret is the abbreviation of National Commercial Encryption. The National Encryption Administration Bureau formulates algorithm standards, and it also formulates a large number of product and interface specifications and application scenarios. Since 2012, the State Cryptography Administration has successively published SM2/SM3/SM4 and other cryptographic algorithm standards and their application specifications in the form of the "People's Republic of China Password Industry Standards". Among them, "SM" stands for "commercial secret", which is a cryptographic technology used for commercial use that does not involve state secrets.
According to the author, the current Linux kernel has well supported the SM3 and SM4 algorithms, thanks to the widespread use of wireless LAN standards. However, the SM2 algorithm and the national secret certificate have not been supported for a long time, and it is impossible to establish full-stack trust and integrity verification in the kernel based on the national secret. Therefore, it has become urgent to support this system in the kernel.
It took 7 rounds for the kernel community to accept SM2. The initial consideration was to migrate from openssl, but the openssl architecture and infrastructure code needed to be ported because of the huge workload. After several rounds of discussion and testing, I found that the existing libgcrypt already has a complete elliptic curve basic algorithm, so I tried to implement SM2 in libgcrypt first, and finally the SM2 algorithm was accepted by the community as a sub-algorithm of ECC. After that, SM2 was gradually accepted by the kernel community.
At present, libgcrypt has fully supported the national secret algorithm SM2/3/4, and these implementations will be officially released in the next version 1.9.0. At the same time, as a user-mode tool for IMA integrity signatures, ima-evm-utils' support for national secrets has not fallen. Click to view related submissions .
Finally, the author also summarizes the known issues of SM2:
- To support national secret certificate verification, SM2 either does not compile, or it must be built-in compilation, and does not support compilation into modules. Of course, SM2, as an asymmetric algorithm, only signs a hash or IMA verification based on national secrets, and there is no such limitation.
- The IMA signature tool ima-evm-utils and the national secret algorithm used by the kernel to calculate the SM3 hash of the file do not add Za. This is a little difference from the specification.