Documentation/translations/zh_CN/security/digsig.rst
Source file repositories/reference/linux-study-clean/Documentation/translations/zh_CN/security/digsig.rst
File Facts
- System
- Linux kernel
- Corpus path
Documentation/translations/zh_CN/security/digsig.rst- Extension
.rst- Size
- 2921 bytes
- Lines
- 104
- Domain
- Support Tooling And Documentation
- Bucket
- Documentation
- Inferred role
- Support Tooling And Documentation: documentation
- Status
- atlas-only
Why This File Exists
Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
- Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
- No C-style include directives detected by the generator.
Detected Declarations
struct pubkey_hdrstruct signature_hdr
Annotated Snippet
struct pubkey_hdr {
uint8_t version; /* 密钥格式版本 */
time_t timestamp; /* 密钥时间戳,目前为0 */
uint8_t algo;
uint8_t nmpi;
char mpi[0];
} __packed;
struct signature_hdr {
uint8_t version; /* 签名格式版本 */
time_t timestamp; /* 签名时间戳 */
uint8_t algo;
uint8_t hash;
uint8_t keyid[8];
uint8_t nmpi;
char mpi[0];
} __packed;
keyid等同对整个密钥的内容进行SHA1哈希运算后的第12到19字节。
签名头部用于生成签名的输入。这种方法确保了密钥或签名头部无法更改。
它保护时间戳不被更改,并可以用于回滚保护。
API
===
目前API仅包含一个函数::
digsig_verify() - 使用公钥进行数字签名验证
/**
* digsig_verify() - 使用公钥进行数字签名验证
* @keyring: 查找密钥的密钥环
* @sig: 数字签名
* @sigen: 签名的长度
* @data: 数据
* @datalen: 数据的长度
* @return: 成功时返回0,失败时返回 -EINVAL
*
* 验证数据相对于数字签名的完整性。
* 目前仅支持RSA算法。
* 通常将内容的哈希值作为此函数的数据。
*
*/
int digsig_verify(struct key *keyring, const char *sig, int siglen,
const char *data, int datalen);
用户空间工具
============
签名和密钥管理实用工具evm-utils提供了生成签名、加载密钥到内核密钥环中的功能。
密钥可以是PEM格式,或转换为内核格式。
当把密钥添加到内核密钥环时,keyid定义该密钥的名称:下面的示例中为5D2B05FC633EE3E8。
以下是keyctl实用工具的示例输出::
$ keyctl show
Session Keyring
-3 --alswrv 0 0 keyring: _ses
603976250 --alswrv 0 -1 \_ keyring: _uid.0
817777377 --alswrv 0 0 \_ user: kmk
891974900 --alswrv 0 0 \_ encrypted: evm-key
170323636 --alswrv 0 0 \_ keyring: _module
548221616 --alswrv 0 0 \_ keyring: _ima
128198054 --alswrv 0 0 \_ keyring: _evm
$ keyctl list 128198054
1 key in keyring:
620789745: --alswrv 0 0 user: 5D2B05FC633EE3E8
Annotation
- Detected declarations: `struct pubkey_hdr`, `struct signature_hdr`.
- Atlas domain: Support Tooling And Documentation / Documentation.
- Implementation status: atlas-only.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.