From df68fa27aeb60592ca671744d6f72f51cc3c0247 Mon Sep 17 00:00:00 2001 From: lhx Date: Tue, 16 Aug 2022 17:46:40 +0800 Subject: [PATCH] docs add document for ShangMi features --- ...SH\345\215\217\350\256\256\346\240\210.md" | 52 ++ ...CP\345\215\217\350\256\256\346\240\210.md" | 521 ++++++++++++++++++ ...41\345\235\227\347\255\276\345\220\215.md" | 107 ++++ ...64\346\200\247\344\277\235\346\212\244.md" | 491 +++++++++++++++++ .../docs/ShangMi/\346\246\202\350\277\260.md" | 17 + ...53\344\273\275\351\211\264\345\210\253.md" | 122 ++++ ...01\347\233\230\345\212\240\345\257\206.md" | 89 +++ .../\347\256\227\346\263\225\345\272\223.md" | 194 +++++++ .../docs/ShangMi/\350\257\201\344\271\246.md" | 82 +++ ...24\347\224\250\351\205\215\347\275\256.md" | 1 - docs/zh/menu/index.md | 9 + 11 files changed, 1684 insertions(+), 1 deletion(-) create mode 100644 "docs/zh/docs/ShangMi/SSH\345\215\217\350\256\256\346\240\210.md" create mode 100644 "docs/zh/docs/ShangMi/TLCP\345\215\217\350\256\256\346\240\210.md" create mode 100644 "docs/zh/docs/ShangMi/\345\206\205\346\240\270\346\250\241\345\235\227\347\255\276\345\220\215.md" create mode 100644 "docs/zh/docs/ShangMi/\346\226\207\344\273\266\345\256\214\346\225\264\346\200\247\344\277\235\346\212\244.md" create mode 100644 "docs/zh/docs/ShangMi/\346\246\202\350\277\260.md" create mode 100644 "docs/zh/docs/ShangMi/\347\224\250\346\210\267\350\272\253\344\273\275\351\211\264\345\210\253.md" create mode 100644 "docs/zh/docs/ShangMi/\347\243\201\347\233\230\345\212\240\345\257\206.md" create mode 100644 "docs/zh/docs/ShangMi/\347\256\227\346\263\225\345\272\223.md" create mode 100644 "docs/zh/docs/ShangMi/\350\257\201\344\271\246.md" delete mode 100644 "docs/zh/docs/ShangMiFeature/\345\225\206\345\257\206\345\272\224\347\224\250\351\205\215\347\275\256.md" diff --git "a/docs/zh/docs/ShangMi/SSH\345\215\217\350\256\256\346\240\210.md" "b/docs/zh/docs/ShangMi/SSH\345\215\217\350\256\256\346\240\210.md" new file mode 100644 index 000000000..833a9b550 --- /dev/null +++ "b/docs/zh/docs/ShangMi/SSH\345\215\217\350\256\256\346\240\210.md" @@ -0,0 +1,52 @@ +# SSH协议栈 + +## 概述 + +openSSH组件是以C语言的openSSL的libcrypto为基础,实现的安全外壳协议(Secure Shell)组件。主要功能为远程登录系统,保证非安全网络环境中信息加密完整可靠。openEuler提供的SSH的服务端和客户端配置项中涉及密钥交换、公钥认证、对称加密和完整性认证的配置参数取值可以选择为商密算法套件(包含SM2/3/4算法)。 + +## 前置条件 + +1. openssh软件包安装并大于等于指定版本: + +``` +$ rpm -qa | grep openssh +openssh-8.8p1-5.oe2209.x86_64 +openssh-server-8.8p1-5.oe2209.x86_64 +openssh-clients-8.8p1-5.oe2209.x86_64 +``` + +## 如何使用 + +### 场景1:用户远程登录 + +1. 客户端调用ssh-keygen生成用户密钥,默认保存为“\~/.ssh/id_sm2”和“\~/.ssh/id_sm2.pub”,将“\~/.ssh/id_sm2.pub”发送给服务端(也可使用ssh-copy-id命令发送): + +``` +$ ssh-keygen -t sm2 -m PEM +``` + +2. 服务端调用ssh-keygen生成主机密钥,并将客户端发送的公钥加入授权密钥文件列表(如使用ssh-copy-id命令传输,则会自动写入): + +``` +$ ssh-keygen -t sm2 -m PEM -f /etc/ssh/ssh_host_sm2_key +$ cat /path/to/id_sm2.pub >> ~/.ssh/authorized_keys +``` + +3. 服务端修改/etc/ssh/sshd_config,配置支持商密算法登录。商密的配置项可选商密参数如下表: + +| 配置项含义 | 配置项参数 | 配置项参数的商密取值 | +|---------------------|------------------------|---------------| +| 主机密钥公钥认证密钥 (仅服务端可配) | HostKeyAlgorithms | /etc/ssh/ssh_host_sm2_key | +| 主机密钥公钥认证算法 | HostKeyAlgorithms | sm2 | +| 密钥交换算法 | KexAlgorithms | sm2-sm3 | +| 对称加密算法 | Ciphers | sm4-ctr | +| 完整性校验算法 | MACs | hmac-sm3 | +| 用户公钥认证算法 | PubkeyAcceptedKeyTypes | sm2 | +| 用户公钥认证密钥(仅客户端可配) | IdentityFile | ~/.ssh/id_sm2 | +| 打印密钥指纹使用的哈希算法 | FingerprintHash | sm3 | + +4. 客户端配置商密算法完成登录。客户端可以使用命令行方式或者修改配置文件的方式使能商密算法套件。使用命令行登录方式如下: + +``` +ssh -o PreferredAuthentications=publickey -o HostKeyAlgorithms=sm2 -o PubkeyAcceptedKeyTypes=sm2 -o Ciphers=sm4-ctr -o MACs=hmac-sm3 -o KexAlgorithms=sm2-sm3 -i ~/.ssh/id_sm2 [remote-ip] +``` diff --git "a/docs/zh/docs/ShangMi/TLCP\345\215\217\350\256\256\346\240\210.md" "b/docs/zh/docs/ShangMi/TLCP\345\215\217\350\256\256\346\240\210.md" new file mode 100644 index 000000000..a831114df --- /dev/null +++ "b/docs/zh/docs/ShangMi/TLCP\345\215\217\350\256\256\346\240\210.md" @@ -0,0 +1,521 @@ +# TLCP协议栈 + +## 概述 + +TLCP是指符合《GB/T38636 2020信息安全技术 传输层密码协议(TLCP)》的安全通信协议,其特点是采用加密证书/私钥和签名证书/私钥相分离的方式。openEuler 22.09版本之后发布openSSL软件在开源版本的基础上增加了对商密TLCP协议的支持,提供了如下主要的功能: + +- 新增对TLCP商密双证书加载的支持; +- 新增对ECC_SM4_CBC_CM3和ECDHE_SM4_CBC_CM3算法套的支持; +- 新增对SM2证书的支持。 + +## 前置条件 + +openEuler操作系统安装的openSSL软件版本号大于1.1.1m-4: + +``` +rpm -qa openssl +openssl-1.1.1m-6.oe2209.x86_64 +``` + +## 如何使用 + +### 场景1:生成SM2双证书 + +根据TLCP协议标准,通信过程需要两本证书:签名证书和加密证书,签名证书在认证过程使用,作用是验证身份;加密证书在密钥协商时使用,负责数据加密。CA是证书认证机构(Certificate Authority)的缩写。CSR证书请求文件得到CA的签发后才可形成证书。下面是一个参考案例,介绍使用自签名的CA证书来签发实体证书: + +1. 准备生成证书所需要使用的配置文件ca.cnf,参考的内容如下(基于openssl源码apps/openssl.cnf修改): + +``` +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature + +[ v3enc_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = keyAgreement, keyEncipherment, dataEncipherment + +[ v3_ca ] + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) + +``` + +2. 生成自签名CA证书: + +``` +openssl ecparam -genkey -name SM2 -outform pem -out ca.key +openssl req -config ca.cnf -new -key ca.key -out ca.csr -sm3 -nodes -sigopt "sm2_id:1234567812345678" -subj "/C=AA/ST=BB/O=CC/OU=DD/CN=root ca" +openssl ca -selfsign -config ca.cnf -in ca.csr -keyfile ca.key -extensions v3_ca -days 3650 -notext -out ca.crt -md sm3 -batch +``` + +3. 生成服务端签名证书和加密证书: + +``` +openssl ecparam -name SM2 -out server_sm2.param +openssl req -config ca.cnf -newkey ec:server_sm2.param -nodes -keyout ../certs/SS.key -sm3 -sigopt "sm2_id:1234567812345678" -new -out ../certs/SS.csr -subj "/C=AA/ST=BB/O=CC/OU=DD/CN=server sign" +openssl ca -config ca.cnf -extensions v3_req -days 30 -in ../certs/SS.csr -out ../certs/SS.crt -md sm3 -batch +openssl req -config ca.cnf -newkey ec:server_sm2.param -nodes -keyout ../certs/SE.key -sm3 -sigopt "sm2_id:1234567812345678" -new -out ../certs/SE.csr -subj "/C=AA/ST=BB/O=CC/OU=DD/CN=server enc" +openssl ca -config ca.cnf -extensions v3enc_req -days 30 -in ../certs/SE.csr -out ../certs/SE.crt -md sm3 -batch +``` + +4. 生成客户端签名证书和加密证书 + +``` +openssl ecparam -name SM2 -out client_sm2.param +openssl req -config ca.cnf -newkey ec:client_sm2.param -nodes -keyout ../certs/CS.key -sm3 -sigopt "sm2_id:1234567812345678" -new -out ../certs/CS.csr -subj "/C=AA/ST=BB/O=CC/OU=DD/CN=client sign" +openssl ca -config ca.cnf -extensions v3_req -days 30 -in ../certs/CS.csr -out ../certs/CS.crt -md sm3 -batch +openssl req -config ca.cnf -newkey ec:client_sm2.param -nodes -keyout ../certs/CE.key -sm3 -sigopt "sm2_id:1234567812345678" -new -out ../certs/CE.csr -subj "/C=AA/ST=BB/O=CC/OU=DD/CN=client enc" +openssl ca -config ca.cnf -extensions v3enc_req -days 30 -in ../certs/CE.csr -out ../certs/CE.crt -md sm3 -batch +``` + +### 场景2:使用openSSL命令行验证TLCP协议栈 + +openSSL中提供的s_server/s_client工具可以用来测试TLCP协议: +``` +# 开启服务端 +openssl s_server -verify 5 -accept 4433 \ + -cert ./certs/SS.crt \ + -key ./certs/SS.key \ + -dcert ./certs/SE.crt \ + -dkey ./certs/SE.key \ + -CAfile ./certs/CA.crt + +# 开启客户端 +openssl s_client -verify 5 -connect 127.0.0.1:4433 \ + -cert ./certs/CS.crt \ + -key ./certs/CS.key \ + -dcert ./certs/CE.crt \ + -dkey ./certs/CE.key \ + -CAfile ./certs/CA.crt -tlcp +``` + +### 场景3:openSSL API使用 + +服务端参考代码: + +``` +SSL_CTX *ctx = NULL; +const char *sign_cert_file = "./certs/SS.crt"; +const char *sign_key_file = "./certs/SS.key"; +const char *enc_cert_file = "./certs/SE.crt"; +const char *enc_key_file = "./certs/SE.key"; + +// 生成上下文 +ctx = SSL_CTX_new(TLS_server_method()); + +// 加载签名证书,加密证书及其私钥 +if (!SSL_CTX_use_gm_certificate_file(ctx, sign_cert_file, SSL_FILETYPE_PEM, SSL_USAGE_SIG)) + goto err; + +if (!SSL_CTX_use_gm_PrivateKey_file(ctx, sign_key_file, SSL_FILETYPE_PEM, SSL_USAGE_SIG)) + goto err; + +if (!SSL_CTX_use_gm_certificate_file(ctx, enc_cert_file, SSL_FILETYPE_PEM, SSL_USAGE_ENC)) + goto err; + +if (!SSL_CTX_use_gm_PrivateKey_file(ctx, enc_key_file, SSL_FILETYPE_PEM, SSL_USAGE_ENC)) + goto err; + +// 如果与BaBaSSL对接,则开启配置。不同的协议栈实现签名证书位置有所不同。 +SSL_CTX_set_options(ctx, SSL_OP_ENCCERT_SECOND_POSITION); + +// 后续同标准tls流程 +SSL *ssl = SSL_new(ctx); +``` + +客户端参考代码: +``` +SSL_CTX *ctx = NULL; +const char *sign_cert_file = "./certs/CS.crt"; +const char *sign_key_file = "./certs/CS.key"; +const char *enc_cert_file = "./certs/CE.crt"; +const char *enc_key_file = "./certs/CE.key"; + +// 生成上下文 +ctx = SSL_CTX_new(TLCP_client_method()); + +// 加载签名证书,加密证书及其私钥 +if (!SSL_CTX_use_gm_certificate_file(ctx, sign_cert_file, SSL_FILETYPE_PEM, SSL_USAGE_SIG)) + goto err; + +if (!SSL_CTX_use_gm_PrivateKey_file(ctx, sign_key_file, SSL_FILETYPE_PEM, SSL_USAGE_SIG)) + goto err; + +if (!SSL_CTX_use_gm_certificate_file(ctx, enc_cert_file, SSL_FILETYPE_PEM, SSL_USAGE_ENC)) + goto err; + +if (!SSL_CTX_use_gm_PrivateKey_file(ctx, enc_key_file, SSL_FILETYPE_PEM, SSL_USAGE_ENC)) + goto err; + +// 如果与BaBaSSL对接,则开启配置。不同的协议栈实现签名证书位置有所不同。 +SSL_CTX_set_options(ctx, SSL_OP_ENCCERT_SECOND_POSITION); + +// 设置算法套件为ECC-SM4-CBC-SM3或者ECDHE-SM4-CBC-SM3 +// 这一步并不强制编写,默认ECC-SM4-CBC-SM3优先 +if(SSL_CTX_set_cipher_list(ctx, "ECC-SM4-CBC-SM3") <= 0) + goto err; + +// 后续同标准tls流程 +SSL *ssl = SSL_new(ctx); +``` + +# KTLS卸载 + +## 概述 + +Linux内核协议栈仅实现了TCP/IP模型,并不支持SSL/TLS会话层协议。目前TLS加解密一般由用户态来实现。但在部分场景下,如内核sendfile发送文件,会产生多次跨态拷贝产生一定的性能开销。因此内核实现了KTLS,即支持对socket配置加密上下文,从而将数据加密过程卸载到内核态或下层硬件实现。 + +openEuler 5.10内核的KTLS特性提供了对商密算法的支持,目前支持SM4-GCM和SM4-CCM两种算法。 + +## 前置条件 + +内核大于或等于指定版本: + +``` +# rpm -qa kernel +kernel-5.10.0-106.1.0.55.oe2209.x86_64 +``` + +## 如何使用 + +商密算法的调用和其他相同类型的加密算法调用方法一致,可参考Linux内核文档: + +``` +https://www.kernel.org/doc/html/v5.10/networking/tls.html +``` \ No newline at end of file diff --git "a/docs/zh/docs/ShangMi/\345\206\205\346\240\270\346\250\241\345\235\227\347\255\276\345\220\215.md" "b/docs/zh/docs/ShangMi/\345\206\205\346\240\270\346\250\241\345\235\227\347\255\276\345\220\215.md" new file mode 100644 index 000000000..fcc11c1b5 --- /dev/null +++ "b/docs/zh/docs/ShangMi/\345\206\205\346\240\270\346\250\241\345\235\227\347\255\276\345\220\215.md" @@ -0,0 +1,107 @@ +# 内核模块签名 + +## 概述 + +内核模块签名机制是保护Linux内核安全的重要机制,通过在内核模块文件末尾按照一定格式追加签名信息,并在内核模块加载时检查签名是否与内核预置的公钥匹配,从而保障内核模块文件的真实性和完整性。 + +## 前置条件 + +1. 准备openEuler内核编译环境,可参考:https://gitee.com/openeuler/kernel/wikis/kernel; +2. 内核模块签名支持商密算法在openEuler 5.10内核支持,建议选取最新5.10内核源码进行编译; +3. 生成用于内核模块签名的SM2私钥和证书。使用openssl生成的参考命令如下: + +``` +# 生成证书配置文件(配置文件其他字段可按需定义) +$ echo 'subjectKeyIdentifier=hash' > mod.cfg +# 生成SM2签名私钥 +$ openssl ecparam -genkey -name SM2 -out mod.key +# 生成签名请求 +$ openssl req -new -sm3 -key mod.key -out mod.csr +# 生成SM2证书 +$ openssl x509 -req -days 3650 -extfile mod.cfg -signkey mod.key -in mod.csr -out mod.crt +``` + +## 如何使用 + +### 场景1:自动签名 + +将证书和私钥写入到mod.pem文件中: + +``` +$ cat /path/to/mod.key > mod.pem +$ cat /path/to/mod.crt >> mod.pem +``` + +在内核编译选项中配置使用SM3算法进行内核模块签名,参考步骤如下: + +``` +$ make openeuler_defconfig +$ make menuconfig +``` + +在图形界面中配置 Enable loadable module support -> Sign modules with SM3: + +``` +Which hash algorithm should modules be signed with? (Sign modules with SM3) +``` + +指定内核签名使用的私钥和证书从mod.pem中读取 Cryptographic API -> Certificates for signature checking: + +``` +(mod.pem) File name or PKCS#11 URI of module signing key +``` + +编译内核: + +``` +$ make -j64 +$ make modules_install +$ make install +``` + +通过modinfo检查内核模块的签名信息: + +``` +$ modinfo /usr/lib/modules/5.10.0/kernel/crypto/sm4.ko +filename: /usr/lib/modules/5.10.0/kernel/crypto/sm4.ko +license: GPL v2 +description: Generic SM4 library +srcversion: 371050FDB8BF9878D9B5B9B +depends: +retpoline: Y +intree: Y +name: sm4 +vermagic: 5.10.0 SMP mod_unload modversions +sig_id: PKCS#7 +signer: Internet Widgits Pty Ltd +sig_key: 33:0B:96:3E:1F:C1:CA:28:98:72:F5:AE:FF:3F:A4:F3:50:5D:E1:87 +sig_hashalgo: sm3 +signature: 30:45:02:21:00:81:96:8D:40:CE:7F:7D:AE:3A:4B:CC:DC:9A:F2:B4: + 16:87:3E:C3:DC:77:ED:BC:6E:F5:D8:F3:DD:77:2B:D4:05:02:20:3B: + 39:5A:89:9D:DC:27:83:E8:D8:B4:75:86:FF:33:2B:34:33:D0:90:76: + 32:4D:36:88:84:34:31:5C:83:63:6B +``` + +### 场景2:手动签名 + +可在内核源码目录下调用sign_file对指定内核模块进行签名: + +``` +$ ./scripts/sign-file sm3 /path/to/mod.key /path/to/mod.crt +``` + +其余步骤与场景1相同。 + +### 场景3:模块加载校验 + +在内核启动参数中添加module.sig_enforce,开启内核模块强制签名校验: + +``` +linux /vmlinuz-5.10.0-106.1.0.55.oe2209.x86_64 root=/dev/mapper/openeuler-root ro resume=/dev/mapper/openeuler-swap rd.lvm.lv=openeuler/root rd.lvm.lv=openeuler/swap crashkernel=512M module.sig_enforce +``` + +重启系统后,只有通过指定证书校验的内核模块才能被正常加载: + +``` +# insmod /usr/lib/modules/5.10.0/kernel/crypto/sm4.ko +``` \ No newline at end of file diff --git "a/docs/zh/docs/ShangMi/\346\226\207\344\273\266\345\256\214\346\225\264\346\200\247\344\277\235\346\212\244.md" "b/docs/zh/docs/ShangMi/\346\226\207\344\273\266\345\256\214\346\225\264\346\200\247\344\277\235\346\212\244.md" new file mode 100644 index 000000000..9c393d8b0 --- /dev/null +++ "b/docs/zh/docs/ShangMi/\346\226\207\344\273\266\345\256\214\346\225\264\346\200\247\344\277\235\346\212\244.md" @@ -0,0 +1,491 @@ +# 文件完整性保护 + +## 内核完整性度量架构(IMA) + +IMA全称Integrity Measurement Architecture,是Linux内核提供的强制访问控制子系统,通过在文件访问系统调用添加检查hook,实现文件的完整性度量/校验。 + +### 前置条件 + +1. 准备openEuler内核编译环境,可参考:https://gitee.com/openeuler/kernel/wikis/kernel; +2. 内核模块签名支持商密算法在openEuler 5.10内核支持,建议选取最新5.10内核源码进行编译; +3. 生成内核SM2根证书: + +``` +# 生成证书配置文件(配置文件其他字段可按需定义) +$ echo 'subjectKeyIdentifier=hash' > ca.cfg +# 生成SM2签名私钥 +$ openssl ecparam -genkey -name SM2 -out ca.key +# 生成签名请求 +$ openssl req -new -sm3 -key ca.key -out ca.csr +# 生成SM2证书 +$ openssl x509 -req -days 3650 -extfile ca.cfg -signkey ca.key -in ca.csr -out ca.crt +``` + +4. 生成IMA二级证书: + +``` +# 创建证书配置文件 +echo 'subjectKeyIdentifier=hash' > ima.cfg +echo 'authorityKeyIdentifier=keyid,issuer' >> ima.cfg +# 生成私钥 +openssl ecparam -genkey -name SM2 -out ima.key +# 生成签名请求 +openssl req -new -sm3 -key ima.key -out ima.csr +# 基于一级证书生成二级证书 +openssl x509 -req -sm3 -CAcreateserial -CA ca.crt -CAkey ca.key -extfile ima.cfg -in ima.csr -out ima.crt +# 转换为DER格式 +openssl x509 -outform DER -in ima.crt -out x509_ima.der +``` + +5. 将根证书放置到内核源码目录,并修改内核编译选项CONFIG_SYSTEM_TRUSTED_KEYS,将根证书证书预置到内核: + +``` +$ cp /path/to/ca.crt . +$ make openeuler_defconfig +$ cat .config | grep CONFIG_SYSTEM_TRUSTED_KEYS +CONFIG_SYSTEM_TRUSTED_KEYS="ca.crt" +``` + +6. 编译并安装内核 + +``` +$ make -j64 +$ make modules_install +$ make install +``` + +### 如何使用 + +#### 场景1:原生IMA + +##### IMA度量模式 + +启动参数配置IMA策略和摘要算法,关闭IMA评估模式,重启系统: + +``` +ima_policy=tcb ima_hash=sm3 ima_appraise=off +``` + +检查度量日志,可以发现IMA对于所有目标保护文件都进行了度量,且摘要算法为sm3: + +``` +cat /sys/kernel/security/ima/ascii_runtime_measurements +10 601989730f01fb4688bba92d0ec94340cd90757f ima-sig sm3:0000000000000000000000000000000000000000000000000000000000000000 boot_aggregate +10 dc0a98316b03ab15edd2b8daae75a0d64bca7c56 ima-sig sm3:3c62ee3c13ee32d7a287e04c843c03ebb428a5bb3dd83561efffe9b08444be22 /usr/lib/systemd/systemd +10 1d0a5140e3924e2542963ad887a80def0aa8acac ima-sig sm3:4d3b83e143bd9d5288ef099eff4d01444947516d680165c6dd08cd5900768032 /usr/lib64/ld-linux-x86-64.so.2 +...... +``` + +##### IMA评估模式(hash) + +启动参数配置IMA策略和摘要算法,开启IMA评估fix模式,重启系统: + +``` +ima_policy=appraise_tcb ima_hash=sm3 ima_appraise=fix +``` + +appraise_tcb代表对所有 root 属主的文件进行评估。 + +对所有需要评估的文件进行一次open操作,以自动标记ima扩展属性: + +``` +find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \; +``` + +完成标记后,可以看到所有的文件都标记了SM3摘要算法的ima扩展属性: + +``` +getfattr -m - -d -e hex /bin/bash +getfattr: Removing leading '/' from absolute path names +# file: bin/bash +security.ima=0x0411a794922bb9f0a034257f6c7090a3e8429801a42d422c21f1473e83b7f7eac385 +security.selinux=0x73797374656d5f753a6f626a6563745f723a7368656c6c5f657865635f743a733000 + +openssl dgst -sm3 /bin/bash +SM3(/bin/bash)= a794922bb9f0a034257f6c7090a3e8429801a42d422c21f1473e83b7f7eac385 +``` + +开启enforce模式后重启,系统可正常运行: + +``` +ima_policy=appraise_tcb ima_hash=sm3 ima_appraise=enforce +``` + +##### IMA评估模式(签名) + +**前置条件:** + +1. 内核预置商密根证书; +2. 安装ima-evm-utils软件包,且大于或等于指定版本: + +``` +$ rpm -qa ima-evm-utils +ima-evm-utils-1.3.2-4.oe2209.x86_64 +``` + +生成IMA二级证书: + +``` +# 创建证书配置文件 +echo 'subjectKeyIdentifier=hash' > ima.cfg +echo 'authorityKeyIdentifier=keyid,issuer' >> ima.cfg +# 生成私钥 +openssl ecparam -genkey -name SM2 -out ima.key +# 生成签名请求 +openssl req -new -sm3 -key ima.key -out ima.csr +# 基于一级证书生成二级证书 +openssl x509 -req -sm3 -CAcreateserial -CA ca.crt -CAkey ca.key -extfile ima.cfg -in ima.csr -out ima.crt +# 转换为DER格式 +openssl x509 -outform DER -in ima.crt -out x509_ima.der +``` + +将IMA证书放置在/etc/keys目录下,执行dracut重新制作initrd: + +``` +mkdir -p /etc/keys +cp x509_ima.der /etc/keys +echo 'install_items+=" /etc/keys/x509_ima.der "' >> /etc/dracut.conf +dracut -f +``` + +对需要进行保护的文件执行签名操作,如此处对/usr/bin目录下所有root用户的可执行文件进行签名: + +``` +find /usr/bin -fstype ext4 -type f -executable -uid 0 -exec evmctl -a sm3 ima_sign --key /root/ima.key '{}' \; +``` + +开启enforce模式后重启,系统可正常运行: + +``` +ima_policy=appraise_tcb ima_hash=sm3 ima_appraise=enforce +``` + +检查签名模式的保护效果: + +``` +# getfattr -m - -d /bin/echo +getfattr: Removing leading '/' from absolute path names +# file: bin/echo +security.ima=0sAwIRNJFkBQBIMEYCIQDLBg/bYlrkBqSaXNQMyK7rhiZj+qRiKdu+0fqW8lSmPQIhAJY2qSZJ0HgSu7kygydrS4MCC0KTK59nUkvISenZAUCo +security.selinux="system_u:object_r:bin_t:s0" + +# echo 123 >> /bin/echo +-bash: /bin/echo: Permission denied +``` + +#### 场景2:IMA摘要列表模式 + +##### 生成SM3摘要列表 + +gen_digest_lists支持-a sm3参数,支持生成sm3摘要列表: + +``` +gen_digest_lists -a sm3 -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/bash -d /root/digest -i i: +gen_digest_lists -a sm3 -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/bash -d /root/digest -i i: -T +``` + +##### 配置SM3摘要算法 + +整体步骤与开启IMA摘要列表特性相同,唯一区别在于将ima_hash启动参数配置为sm3。启动参数参考配置如下: + +``` +# log模式 +ima_template=ima-sig ima_policy="exec_tcb|appraise_exec_tcb|appraise_exec_immutable" initramtmpfs ima_hash=sm3 ima_appraise=log evm=allow_metadata_writes evm=x509 ima_digest_list_pcr=11 ima_appraise_digest_list=digest +# enforce模式 +ima_template=ima-sig ima_policy="exec_tcb|appraise_exec_tcb|appraise_exec_immutable" initramtmpfs ima_hash=sm3 ima_appraise=enforce-evm evm=allow_metadata_writes evm=x509 ima_digest_list_pcr=11 ima_appraise_digest_list=digest +``` + +其余步骤可参考 **管理员指南->可信计算->摘要列表场景->初次部署** 章节。 + +配置完成后重启系统,通过查询度量日志可以看到,度量日志中的默认算法已变成SM3: + +``` +cat /sys/kernel/security/ima/ascii_runtime_measurements +...... +11 9e32183b5b1da72c6ff4298a44026e3f9af510c9 ima-sig sm3:5a2d81cd135f41e73e0224b9a81c3d8608ccde8caeafd5113de959ceb7c84948 /usr/bin/upload_digest_lists +11 f3b9264761dbaeaf637d08b86cc3655e8f3380f7 ima-sig sm3:cc6faecee9976c12279dab1627a78ef36f6998c65779f3b846494ac5fe5493a1 /usr/libexec/rpm_parser +11 dc0a98316b03ab15edd2b8daae75a0d64bca7c56 ima-sig sm3:3c62ee3c13ee32d7a287e04c843c03ebb428a5bb3dd83561efffe9b08444be22 /usr/lib/systemd/systemd +...... +``` + +说明:度量日志中可能存在两条非SM3算法的度量日志,属于系统初始化期间导入初始摘要列表的度量日志,为正常情况。 + +##### 配置SM2证书校验摘要列表 + +**前置条件:** + +1. 内核预置商密根证书; +2. 安装digest-list-tools和ima-evm-utils软件包,且大于或等于指定版本: + +``` +$ rpm -qa ima-evm-utils +ima-evm-utils-1.3.2-4.oe2209.x86_64 +$ rpm -qa digest-list-tools +digest-list-tools-0.3.95-6.oe2209.x86_64 +``` + +**执行步骤**: + +1. 生成IMA/EVM二级证书(需要为内核预置的商密根证书的子证书): + +``` +# 创建证书配置文件 +echo 'subjectKeyIdentifier=hash' > ima.cfg +echo 'authorityKeyIdentifier=keyid,issuer' >> ima.cfg +# 生成私钥 +openssl ecparam -genkey -name SM2 -out ima.key +# 生成签名请求 +openssl req -new -sm3 -key ima.key -out ima.csr +# 基于一级证书生成二级证书 +openssl x509 -req -sm3 -CAcreateserial -CA ca.crt -CAkey ca.key -extfile ima.cfg -in ima.csr -out ima.crt +# 转换为DER格式 +openssl x509 -outform DER -in ima.crt -out x509_ima.der +openssl x509 -outform DER -in ima.crt -out x509_evm.der +``` + +2. 将IMA/EVM证书放置在/etc/keys目录下,执行dracut重新制作initrd: + +``` +mkdir -p /etc/keys +cp x509_ima.der /etc/keys +cp x509_evm.der /etc/keys +echo 'install_items+=" /etc/keys/x509_ima.der /etc/keys/x509_evm.der "' >> /etc/dracut.conf +dracut -f -e xattr +``` + +3. 配置启动参数,开启IMA摘要列表功能,重启后可以检查证书被导入IMA/EVM密钥环: + +``` +cat /proc/keys +...... +024dee5e I------ 1 perm 1f0f0000 0 0 keyring .evm: 1 +...... +3980807f I------ 1 perm 1f0f0000 0 0 keyring .ima: 1 +...... +``` + +4. 将IMA摘要列表使用IMA/EVM证书对应的私钥进行签名,签名后可被正常导入内核: + +``` +# 使用evmctl对摘要列表进行签名 +evmctl ima_sign --key /root/ima.key -a sm3 0-metadata_list-compact-tree-1.8.0-2.oe2209.x86_64 +# 检查签名后的扩展属性 +getfattr -m - -d 0-metadata_list-compact-tree-1.8.0-2.oe2209.x86_64 +# file: 0-metadata_list-compact-tree-1.8.0-2.oe2209.x86_64 +security.ima=0sAwIRNJFkBQBHMEUCIQCzdKVWdxw1hoVm9lgZB6sl+sxapptUFNjqHt5XZD87hgIgBMuZqBdrcNm7fXq/reQw7rzY/RN/UXPrIOxrVvpTouw= +security.selinux="unconfined_u:object_r:admin_home_t:s0" +# 将签名后的摘要列表文件导入内核 +echo /root/tree/etc/ima/digest_lists/0-metadata_list-compact-tree-1.8.0-2.oe2209.x86_64 > /sys/kernel/security/ima/digest_list_data +# 检查度量日志,可以看到摘要列表的导入记录 +cat /sys/kernel/security/ima/ascii_runtime_measurements +11 43b6981f84ba2725d05e91f19577cedb004adffb ima-sig sm3:b9430bbde2b7f30e935d91e29ab6778b6a825a2c3e5e7255895effb8747b7c1a /root/tree/etc/ima/digest_lists/0-metadata_list-compact-tree-1.8.0-2.oe2209.x86_64 0302113491640500473045022100b374a556771c35868566f6581907ab25facc5aa69b5414d8ea1ede57643f3b86022004cb99a8176b70d9bb7d7abfade430eebcd8fd137f5173eb20ec6b56fa53a2ec +``` + +说明:对于openEuler发布的RPM包,已经内置包含RPM包中所有可执行文件的摘要列表文件,采用的签名格式为PGP签名,对应的PGP公钥也已经在内核中预置。对于该部分摘要列表,无需重新进行签名,只需对新引入的文件生成摘要列表并签名即可。 + +# 轻量入侵检测(AIDE) + +AIDE是一款轻量级的入侵检测工具,主要通过检测文件的完整性,以及时发现针对系统的恶意入侵行为。AIDE数据库能够使用sha256、sha512等hash算法,用密文形式建立每个文件的校验码或散列号。openEuler提供的AIDE在开源软件的基础上新增了对SM3算法的支持。 + +## 前置条件 + +1. aide软件包安装,且大于等于指定版本: + +``` +$ rpm -qa aide +aide-0.17.4-1.oe2209.x86_64 +``` + +## 如何使用 + +修改/etc/aide.conf配置文件,添加sm3算法支持: + +``` +...... +FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256+sm3 +...... +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256+sm3 +...... +``` + +3. 初始化数据库,并保存数据库作为基准: + +初始化数据库 + +``` +$ aide -c /etc/aide.conf -i +``` + +示例输出如下: + +``` +AIDE initialized database at /var/lib/aide/aide.db.new.gz + +Number of entries: 64249 + +--------------------------------------------------- +The attributes of the (uncompressed) database(s): +--------------------------------------------------- + +/var/lib/aide/aide.db.new.gz + MD5 : a7y5ErdpBAezV2iGdaVleg== + SHA1 : u7W7jxomFtZn8rwMlkIRCN0r7iQ= + SHA256 : 88Kw5b2yJ9bejwO+NqT6lyAieno+K0+W + BPVBjXcUl08= + SHA512 : WyOIgRxk9SeSoktF6BYVV0tRL7nGNDKQ + A9QyxVCgzg+PwPMV7tzxmwOZI/dB64pP + vQ/D2jqJdf3NS2PHMI4yvg== + RMD160 : qTEPs2SIxPm3iEwsCnwvp9hR4s4= + TIGER : 0HgLucmhCcB56bxOMj+j1Kuja8UIsFRg + CRC32 : VKE1TA== + WHIRLPOOL : JSA35/NmkMOkUWEpcZJf3PR1UUz5WcLG + AmBKPkao3fzQUsLMTJizCV4CwAE0G/Yc + KX0mpW5vx+gk3njya8rAvA== + GOST : yKjiytOwRr3bJcFsxnJ310t1FY6YE3HB + YNT8XP93xpc= + STRIBOG256: 9bzS+5j4ZAoU/P7v3tkKOWn4ZfggcX28 + 9dLQVhaiJtQ= + STRIBOG512: 9LLXgqsRIRiXP2WOrOJt1qhx6psfbACd + un+GTVmu441quX4zaaPIIG9lzDMBAqMg + hZx5DlxsQj3YjMezSUsXLg== + SM3 : Vwii+uw3Ge5Hh3eo1KOombxn2jWgyYRX + ZdyCRZqWZ/E= + + +End timestamp: 2022-08-12 09:01:25 +0800 (run time: 2m 43s) +``` + + +保存数据库作为基准: + +``` +$ mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz +``` + +### 场景1:检测被保护文件变化 + +``` +$ aide -c /etc/aide.conf --check +--------------------------------------------------- +Detailed information about changes: +--------------------------------------------------- + +File: /boot/config-5.10.0-106.3.0.57.oe2209.aarch64 + Size : 182936 | 182938 + Mtime : 2022-08-04 08:00:00 +0800 | 2022-08-12 09:05:34 +0800 + Ctime : 2022-08-11 01:42:44 +0800 | 2022-08-12 09:05:34 +0800 + SHA256 : ae0fOzf7U+e/evTZKpk6JQa00kvSkc5J | gOlhcUgnZWhcyJYMEPxCYccXwFr9lERX + vMTX5Ysh+1k= | KK3O/ytfR/g= + SHA512 : zAPIxIAM7YvJPjwl/PH23leBb/HiO0Rf | p+WxVOZ6DX323rHDRF864w297yh7POk6 + PlRME7yvpzFZk/5BrNe2ofQWR/0sFu1m | 11dOzahlKTWpAKaexC/u+4REiCzjl1rm + JsDSy8m57wzCpJA9iUFq1g== | eb/kd3Xgp1LoKwn49mtqxw== + SM3 : CW0GnITxNeGeYOCAm4xfu78Vqm+wLp/Z | GWq/3nXL16tMYyxyFD/HTZbvJi2h+ttg + cOmXmIKJT4Q= | 6d8XmSHu26A= +``` + +### 场景2:更新数据库 + +执行以下命令进行数据库更新,更新后数据库文件为 /var/lib/aide/aide.db.new.gz: + +``` +$ aide -c /etc/aide.conf --update +--------------------------------------------------- +Detailed information about changes: +--------------------------------------------------- + +File: /boot/config-5.10.0-106.3.0.57.oe2209.aarch64 + Size : 182936 | 182938 + Mtime : 2022-08-04 08:00:00 +0800 | 2022-08-12 09:05:34 +0800 + Ctime : 2022-08-11 01:42:44 +0800 | 2022-08-12 09:05:34 +0800 + SHA256 : ae0fOzf7U+e/evTZKpk6JQa00kvSkc5J | gOlhcUgnZWhcyJYMEPxCYccXwFr9lERX + vMTX5Ysh+1k= | KK3O/ytfR/g= + SHA512 : zAPIxIAM7YvJPjwl/PH23leBb/HiO0Rf | p+WxVOZ6DX323rHDRF864w297yh7POk6 + PlRME7yvpzFZk/5BrNe2ofQWR/0sFu1m | 11dOzahlKTWpAKaexC/u+4REiCzjl1rm + JsDSy8m57wzCpJA9iUFq1g== | eb/kd3Xgp1LoKwn49mtqxw== + SM3 : CW0GnITxNeGeYOCAm4xfu78Vqm+wLp/Z | GWq/3nXL16tMYyxyFD/HTZbvJi2h+ttg + cOmXmIKJT4Q= | 6d8XmSHu26A= +``` + +### 场景3:比较数据库 + +在/etc/aide.conf中配置两个数据库: + +``` +# The location of the database to be read. +database_in=file:@@{DBDIR}/aide.db.gz +database_new=file:@@{DBDIR}/aide.db.new.gz +``` + +执行以下命令进行数据库比较: + +``` +$ aide -c /etc/aide.conf --compare +--------------------------------------------------- +Detailed information about changes: +--------------------------------------------------- + +File: /boot/config-5.10.0-106.3.0.57.oe2209.aarch64 + Size : 182936 | 182938 + Mtime : 2022-08-04 08:00:00 +0800 | 2022-08-12 09:05:34 +0800 + Ctime : 2022-08-11 01:42:44 +0800 | 2022-08-12 09:05:34 +0800 + SHA256 : ae0fOzf7U+e/evTZKpk6JQa00kvSkc5J | gOlhcUgnZWhcyJYMEPxCYccXwFr9lERX + vMTX5Ysh+1k= | KK3O/ytfR/g= + SHA512 : zAPIxIAM7YvJPjwl/PH23leBb/HiO0Rf | p+WxVOZ6DX323rHDRF864w297yh7POk6 + PlRME7yvpzFZk/5BrNe2ofQWR/0sFu1m | 11dOzahlKTWpAKaexC/u+4REiCzjl1rm + JsDSy8m57wzCpJA9iUFq1g== | eb/kd3Xgp1LoKwn49mtqxw== + SM3 : CW0GnITxNeGeYOCAm4xfu78Vqm+wLp/Z | GWq/3nXL16tMYyxyFD/HTZbvJi2h+ttg + cOmXmIKJT4Q= | 6d8XmSHu26A= + +--------------------------------------------------- +The attributes of the (uncompressed) database(s): +--------------------------------------------------- + +/var/lib/aide/aide.db.gz + MD5 : a7y5ErdpBAezV2iGdaVleg== + SHA1 : u7W7jxomFtZn8rwMlkIRCN0r7iQ= + SHA256 : 88Kw5b2yJ9bejwO+NqT6lyAieno+K0+W + BPVBjXcUl08= + SHA512 : WyOIgRxk9SeSoktF6BYVV0tRL7nGNDKQ + A9QyxVCgzg+PwPMV7tzxmwOZI/dB64pP + vQ/D2jqJdf3NS2PHMI4yvg== + RMD160 : qTEPs2SIxPm3iEwsCnwvp9hR4s4= + TIGER : 0HgLucmhCcB56bxOMj+j1Kuja8UIsFRg + CRC32 : VKE1TA== + WHIRLPOOL : JSA35/NmkMOkUWEpcZJf3PR1UUz5WcLG + AmBKPkao3fzQUsLMTJizCV4CwAE0G/Yc + KX0mpW5vx+gk3njya8rAvA== + GOST : yKjiytOwRr3bJcFsxnJ310t1FY6YE3HB + YNT8XP93xpc= + STRIBOG256: 9bzS+5j4ZAoU/P7v3tkKOWn4ZfggcX28 + 9dLQVhaiJtQ= + STRIBOG512: 9LLXgqsRIRiXP2WOrOJt1qhx6psfbACd + un+GTVmu441quX4zaaPIIG9lzDMBAqMg + hZx5DlxsQj3YjMezSUsXLg== + SM3 : Vwii+uw3Ge5Hh3eo1KOombxn2jWgyYRX + ZdyCRZqWZ/E= + +/var/lib/aide/aide.db.new.gz + MD5 : sKt4dVDKY/8A9EY/X4Ue2A== + SHA1 : hagLXMv7G+KbEKh861kjjFSYpRw= + SHA256 : HTHF7k5U294ECjCLneoZ3o8bH6PYgY5u + AzoIyCacZp4= + SHA512 : 5gWi7K/ztWMl7H+PK1doV/tWDHmaE2m/ + ndRXGR7b5J3v82Jv2HeJPoOt5A4Z/9FH + 5H+uCLYaHwRleyalyy5Wew== + RMD160 : uMM1HtAbfz+G3Y9Z+rVR4qjdqcQ= + TIGER : OTHdXNQOxnHnOl6C9M3czSC42+SeZAZA + CRC32 : T9G1Tw== + WHIRLPOOL : FRMnQ2wHgylsTmpKE8RwdUvkzXucHwu1 + W9ZkUrxoXeci2g7jIgoMmpoeDPhH73qz + nZ7fKj1lStSpiUGD5KPeWA== + GOST : haeO5dhT+t34C1GJf+2dc3q1GMN71FqB + kqoiODo+j2o= + STRIBOG256: lgZUZhhd9JfMOXgNzYptapqagwgmvdM+ + 7uWzJsmOxoY= + STRIBOG512: PA6jksprS37xQzHm1ZIvLR9ROa+FxoiF + /xbAe0pSi4lMXXzABrPKkjyK0WtjxFvx + 07Poj2iDwNNcUJWekbaEXA== + SM3 : R5/HXng5MNvrjoCh8/JzrWle1IO8ggsR + P5i2ePX5BpY= +``` + diff --git "a/docs/zh/docs/ShangMi/\346\246\202\350\277\260.md" "b/docs/zh/docs/ShangMi/\346\246\202\350\277\260.md" new file mode 100644 index 000000000..a30b35796 --- /dev/null +++ "b/docs/zh/docs/ShangMi/\346\246\202\350\277\260.md" @@ -0,0 +1,17 @@ +# 概述 + +openEuler操作系统商密支持旨在对操作系统的关键安全特性进行商密算法使能,并为上层应用提供商密算法库、证书、安全传输协议等密码服务。 + +当前已支持的商密特性包括: + +1. openSSL/libgcrypt等用户态算法库支持SM2/3/4算法; +2. openSSH支持商密算法套件; +3. openSSL支持商密TLCP协议栈; +4. 磁盘加密(dm-crypt/cryptsetup)支持SM3/SM4算法; +5. 用户身份鉴别(pam/libuser/shadow)支持SM3口令加密; +6. 入侵检测(AIDE)支持SM3摘要算法; +7. 内核加密框架(crypto)支持SM2/3/4算法,以及AVX/CE/NEON等指令集优化; +8. 内核完整性度量架构(IMA/EVM)支持SM3摘要算法和SM2证书; +9. 内核模块签名/验签支持SM2证书; +10. 内核KTLS支持SM4-CBC和SM4-GCM算法; +11. 鲲鹏KAE加速引擎支持SM3/4算法加速。 \ No newline at end of file diff --git "a/docs/zh/docs/ShangMi/\347\224\250\346\210\267\350\272\253\344\273\275\351\211\264\345\210\253.md" "b/docs/zh/docs/ShangMi/\347\224\250\346\210\267\350\272\253\344\273\275\351\211\264\345\210\253.md" new file mode 100644 index 000000000..874a8d299 --- /dev/null +++ "b/docs/zh/docs/ShangMi/\347\224\250\346\210\267\350\272\253\344\273\275\351\211\264\345\210\253.md" @@ -0,0 +1,122 @@ +# 用户身份鉴别 + +## pam配置用户口令加密 + +### 概述 + +PAM是系统的可插拔认证模块,为上层应用提供认证机制。openEuler发布的PAM新增了对SM3算法用户口令加密的支持。 + +### 前置条件 + +1. pam软件包安装并大于等于指定版本: + +``` +$ rpm -qa pam +pam-1.5.2-2.oe2209.x86_64 +``` + +### 如何使用 + +1. 修改/etc/pam.d/password-auth和/etc/pam.d/system-auth文件,找到文件中“password sufficient pam_unix.so”开头的行,修改该行中算法字段为sm3: + +``` +$ cat /etc/pam.d/password-auth +...... +password sufficient pam_unix.so sm3 shadow nullok try_first_pass use_authtok +...... + +$ cat /etc/pam.d/system-auth +...... +password sufficient pam_unix.so sm3 shadow nullok try_first_pass use_authtok +...... +``` + +2. 修改配置之后通过passwd命令修改密码或新增用户创建的密码,会使用sm3算法加密,加密结果以sm3开头存储在/etc/shadow中: + +``` +$ passwd testuser +Changing password for user testuser. +New password: +Retype new password: +passwd: all authentication tokens updated successfully. +$ cat /etc/shadow | grep testuser +testuser:$sm3$wnY86eyUlB5946gU$99LlMr0ddeZNDqnB2KRxn9f30SFCCvMv1WN1cFdsKJ2:19219:0:90:7:35:: +``` + +### 注意事项 + +1. PAM配置默认使用sha512算法,修改配置使用商密SM3算法后,对已存在的用户密码无影响,需要修改密码才能更新密码算法; +2. 若PAM降级到不支持商密算法的版本,并且已存在账户密码使用SM3算法加密,则需先修改配置为非商密算法,再修改账号密码,再降级到低版本,否则这些账户将无法正常登陆。 + + +## shadow配置用户口令加密 + +### 概述 + +shadow是Linux系统中常用的用户管理组件,提供了chpasswd、chgpasswd与newusers等命令。openEuler提供的shadow组件新增了对商密算法SM3的支持,以在用户管理时使用SM3加密算法。因为shadow默认使用PAM安全认证机制,因此该组件支持商密算法只影响chpasswd与chgpasswd命令。 + +### 前置条件 + +1. shadow大于或等于指定版本: + +``` +$ rpm -qa shadow +shadow-4.9-4.oe2209.x86_64 +``` + +### 如何使用 + +1. chpasswd默认使用pam配置,通过-c指定SM3算法,会以SM3算法加密,加密结果以sm3开头存储在/etc/shadow中: + +``` +$ echo testuser:testPassword |chpasswd -c SM3 +$ cat /etc/shadow | grep testuser +testuser:$sm3$moojQQeBfdGOrL14$NqjckLHlk3ICs1cx.0rKZwRHafjVlqksdSJqfx9eYh6:19220:0:99999:7::: + +``` +2. chgpasswd默认使用pam配置,通过-c指定SM3算法,会以SM3算法加密,加密结果以sm3开头存储在/etc/shadow中: + +``` +$ echo testGroup:testPassword |chpasswd -c SM3 +$ cat /etc/gshadow | grep testGroup +testGroup:$sm3$S3h3X6U6KsXg2Gkc$LFCAnKbi6JItarQz4Y/Aq9/hEbEMQXq9nQ4rY1j9BY9:: +``` + +### 注意事项 + +1. shadow默认使用PAM安全认证机制,相关命令使用-c参数指定加密算法时,不使用PAM机制。 + +## libuser配置用户口令加密 + +### 概述 + +libuser库实现了一个标准化的接口,用于操作和管理用户和组帐户。该库经过封装,对外提供了命令行接口和python接口,用于管理用户和组。其中涉及用户密码的管理,支持使用des、md5、blowfish、sha256、sha512等算法对用户口令进行加密,openEuler发布的libuser新增了对SM3算法加密支持。 + +### 前置条件 + +1. libuser软件包安装并大于等于指定版本: + +``` +$ rpm -qa libuser +libuser-0.63-3.oe2209.x86_64 +``` + +### 如何使用 + +1. 编辑/etc/libuser.conf,修改[defaults]域crypt_style=sm3: + +``` +$ cat /etc/libuser.conf +...... +[defaults] +crypt_style = sm3 +...... +``` + +2. 通过lusermod、lpasswd、luseradd等命令设置用户口令时,口令加密算法默认为sm3。加密结果以sm3开头存储在/etc/shadow中: + +``` +# luseradd testuser -P Test@123 +# cat /etc/shadow | grep testuser +testuser:$sm3$1IJtoN6zlBDCiPKC$5oxscBTgiquPAEmZWGNDVqTPrboHJw3fFSohjF6sONB:18862:0:90:7:35:: +``` \ No newline at end of file diff --git "a/docs/zh/docs/ShangMi/\347\243\201\347\233\230\345\212\240\345\257\206.md" "b/docs/zh/docs/ShangMi/\347\243\201\347\233\230\345\212\240\345\257\206.md" new file mode 100644 index 000000000..1f3193442 --- /dev/null +++ "b/docs/zh/docs/ShangMi/\347\243\201\347\233\230\345\212\240\345\257\206.md" @@ -0,0 +1,89 @@ +# 磁盘加密 + +## 概述 + +磁盘加密是对重要数据存储机密性进行保护,按照给定加密算法对数据进行加密后写入磁盘,从而保障重要数据的机密性。该特性主要涉及用户态工具cryptsetup和内核态的dm-crypt模块。当前openEuler操作系统提供的磁盘加密特性已支持商密算法。相关参数如下: + +- 加密模式:支持luks2和plain两种模式; +- 密钥长度:支持256位; +- 摘要算法:支持商密SM3算法; +- 加密算法:支持商密sm4-xts-plain64算法。 + +## 前置条件 + +1. 内核版本需要大于等于指定版本: + +``` +$ rpm -qa kernel +kernel-5.10.0-106.1.0.55.oe2209.x86_64 +``` + +2. cryptsetup软件包安装并大于等于指定版本: + +``` +$ rpm -qa cryptsetup +cryptsetup-2.4.1-1.oe2209.x86_64 +``` + +## 如何使用 + +通过将磁盘格式化成指定加密模式的磁盘,然后映射到/dev/mapper下作为dm设备,后续对磁盘的读写都通过该dm设备进行,数据的加解密过程由内核态完成,用户态不感知。参考步骤如下: + +1. 格式化磁盘,将磁盘映射为dm设备: + +a. luks2模式 + +加密模式使用luks2,加密算法使用sm4-xts-plain64,密钥大小为256位,摘要算法使用sm3: + +``` +# cryptsetup luksFormat /dev/sdd -c sm4-xts-plain64 --key-size 256 --hash sm3 +``` + +b. plain模式 + +加密模式使用plain,加密算法使用sm4-xts-plain64,密钥大小为256位,摘要算法使用sm3: + +``` +# cryptsetup plainOpen /dev/sdd crypt1 -c sm4-xts-plain64 --key-size 256 --hash sm3 +``` + +2. 映射成功后可通过lsblk查看设备信息: + +``` +# lsblk +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS +...... +sdd 8:48 0 50G 0 disk +└─crypt1 253:3 0 50G 0 crypt +...... +``` + +3. 对加密后的设备进行IO读写: + +直接对裸盘下发IO: + +``` +# dd if=/dev/random of=/dev/mapper/crypt1 bs=4k count=10240 +``` + +通过文件系统下发IO: + +``` +# mkfs.ext4 /dev/mapper/crypt1 +# mount /dev/mapper/crypt1 /mnt/crypt/ +# dd if=/dev/random of=/mnt/crypt/tmp bs=4k count=10240 +``` + +4. 关闭设备映射: + +如果挂载了文件系统,需要先卸载: + +``` +# umount /mnt/crypt +``` + +关闭设备: + +``` +# cryptsetup luksClose crypt1 +``` \ No newline at end of file diff --git "a/docs/zh/docs/ShangMi/\347\256\227\346\263\225\345\272\223.md" "b/docs/zh/docs/ShangMi/\347\256\227\346\263\225\345\272\223.md" new file mode 100644 index 000000000..77031036e --- /dev/null +++ "b/docs/zh/docs/ShangMi/\347\256\227\346\263\225\345\272\223.md" @@ -0,0 +1,194 @@ +# 算法库 + +## openSSL加密接口 + +openSSL是常用的密码算法库软件,当前已经支持商密算法SM2/3/4,用户可以通过命令行或API调用商密算法的加解密功能。 + +### 前置条件 + +openSSL大于或等于指定版本: + +``` +$ rpm -qa openssl +openssl-1.1.1m-6.oe2209.x86_64 +``` + +### 如何使用 + +#### 场景1:使用命令行调用密码算法 + +1. SM2公钥算法 + +生成SM2私钥: + +``` +$ openssl ecparam -genkey -name SM2 -out priv.key +``` + +根据私钥生成公钥: + +``` +$ openssl ec -in priv.key -pubout -out pub.key +read EC key +writing EC key +``` + +使用SM2算法对文件进行签名,摘要算法指定为SM3: + +``` +$ openssl dgst -sm3 -sign priv.key -out data.sig data +``` + +使用公钥进行验签: + +``` +$ openssl dgst -sm3 -verify pub.key -signature data.sig data +Verified OK +``` + +2. SM3摘要算法 + +使用SM3算法计算数据摘要: + +``` +$ openssl dgst -sm3 data +SM3(data)= a794922bb9f0a034257f6c7090a3e8429801a42d422c21f1473e83b7f7eac385 +``` + +3. SM4对称加密算法 + +使用SM4算法对数据进行加密,其中-K和-iv分别指定加密所使用的key值和iv值,通常需要随机生成: + +``` +$ openssl enc -sm4 -in data -K 123456789ABCDEF0123456789ABCDEF0 -iv 123456789ABCDEF0123456789ABCDEF0 -out data.enc +``` + +使用SM4算法对数据进行解密: + +``` +$ openssl enc -d -sm4 -in data.enc -K 123456789ABCDEF0123456789ABCDEF0 -iv 123456789ABCDEF0123456789ABCDEF0 -out data.raw +``` + +对比加解密数据,结果一致: + +``` +$ diff data data.raw +``` + +#### 场景2:使用API调用密码算法 + +可直接安装openssl-help并查询man手册: + +``` +$ yum install openssl-help +$ man sm2 +$ man EVP_sm3 +$ man EVP_sm4_cbc +``` + +## 内核加密接口 + +### 概述 + +Linux内核的加密算法采用crypto框架管理,不同的算法实现在crypto框架中分别进行注册和调用。openEuler提供的5.10内核提供了对商密算法(SM2/3/4)的支持,其中SM2/3算法默认编译在内核中,SM4算法以内核模块的形式提供。 + +### 前置条件 + +内核大于或等于指定版本: + +``` +# rpm -qa kernel +kernel-5.10.0-106.1.0.55.oe2209.x86_64 +``` + +### 如何使用 + +#### 场景1:查询内核支持的加密算法 + +1. 通过/proc/crypto查询已注册的商密算法: + +``` +$ cat /proc/crypto | grep sm3 -A8 +name : sm3 +driver : sm3-generic +module : kernel +priority : 100 +refcnt : 1 +selftest : passed +internal : no +type : shash +blocksize : 64 +digestsize : 32 + +$ cat /proc/crypto | grep sm2 -A6 +name : sm2 +driver : sm2-generic +module : kernel +priority : 100 +refcnt : 1 +selftest : passed +internal : no +type : akcipher +``` + +sm4算法默认不加载,需要先插入对应模块: + +``` +$ modprobe sm4-generic +$ cat /proc/crypto | grep sm4 -A8 +name : sm4 +driver : sm4-generic +module : sm4_generic +priority : 100 +refcnt : 1 +selftest : passed +internal : no +type : cipher +blocksize : 16 +min keysize : 16 +max keysize : 16 +``` + +#### 场景2:算法API调用 + +商密算法的调用和其他相同类型的算法调用方法一致,可参考Linux内核文档: + +``` +https://www.kernel.org/doc/html/v5.10/crypto/userspace-if.html +``` + +#### 场景3:指令集优化 + +Crypto框架支持注册架构相关的算法实现,可以通过特定指令集实现算法性能的优化。当前openEuler 5.10内核支持的指令集优化包括: + +| 驱动 | 指令集支持 | 优先级 | +| -------------------------------- | ---------------------- | ------ | +| sm4-neon(ecb/cbc/cfb/ctr) | ARM64-NEON指令集 | 200 | +| sm3-avx | X86-AVX指令集 | 300 | +| sm4-aesni-avx (ecb/cbc/cfb/ctr) | X86-AVX指令集 | 400 | +| sm4-aesni-avx 2(ecb/cbc/cfb/ctr) | X86-AVX2指令集 | 500 | + +当同一个算法注册多个实例时,按照各个算法实例注册的priority选择默认的算法实现,priority数值越大则优先级越高,纯软件的算法实现(后缀为-generic)的priority固定为100。商密算法的指令集优化不默认使能,以内核模块的形式对用户提供,如使能SM3算法的AVX指令集优化的方法为: + +``` +$ modprobe sm3-avx +$ cat /proc/crypto | grep sm3 -A8 +name : sm3 +driver : sm3-avx +module : sm3_avx_x86_64 +priority : 300 +refcnt : 1 +selftest : passed +internal : no +type : shash +blocksize : 64 +digestsize : 32 + +...... +``` + +#### 注意事项 + +1. 算法指令集优化使能的前提是CPU支持对应指令集,可以通过/proc/cpuinfo接口查询当前CPU支持的指令集; +2. 特定指令集的调用本身存在一定开销,因此并不能保证在所有的场景下,指令集优化的性能都高于软件实现; +3. 部分指令集优化存在一定限制,如neon指令集仅在支持并行计算的加密模式下存在优化效果。 \ No newline at end of file diff --git "a/docs/zh/docs/ShangMi/\350\257\201\344\271\246.md" "b/docs/zh/docs/ShangMi/\350\257\201\344\271\246.md" new file mode 100644 index 000000000..4596f0731 --- /dev/null +++ "b/docs/zh/docs/ShangMi/\350\257\201\344\271\246.md" @@ -0,0 +1,82 @@ +# 证书 + +## 概述 + +商密证书指的是满足《SM2椭圆曲线公钥密码算法》以及《基于SM2密码算法的数字证书格式规范》等标准的数字证书。openEuler发布的openSSL软件提供了对商密证书的支持。 + +## 前置条件 + +openSSL大于或等于指定版本: + +``` +$ rpm -qa openssl +openssl-1.1.1m-6.oe2209.x86_64 +``` + +## 如何使用 + +### 场景1:生成商密证书 + +1. 生成SM2签名私钥: + +``` +$ openssl ecparam -genkey -name SM2 -out sm2.key +``` + +2. 生成签名请求: + +``` +$ openssl req -new -sm3 -key sm2.key -out sm2.csr +``` + +3. 生成商密证书(可使用-extfile指定证书配置文件): + +``` +$ openssl x509 -req -days 3650 -signkey sm2.key -in sm2.csr -out sm2.crt +``` + +4. 查看证书信息: + +``` +$ openssl x509 -text -in sm2.crt +``` + +### 场景2:构建证书链 + +#### 使用x509命令(一般用于功能测试) + +1. 生成SM2签名私钥和签名请求: + +``` +$ openssl ecparam -genkey -name SM2 -out sm2.key +$ openssl req -new -sm3 -key sm2.key -out sm2.csr +``` + +2. 基于一级证书生成二级证书(可使用-extfile指定证书配置文件): + +``` +$ openssl x509 -req -sm3 -CAcreateserial -CA ca.crt -CAkey ca.key -in sm2.csr -out sm2.crt +``` + +#### 使用ca命令(一般用于正式场景) + +1. 准备用于生成证书的配置文件(可使用openssl源码目录下的apps/openssl.cnf); + +2. 生成自签名CA证书: + +``` +$ openssl ecparam -name SM2 -out SM2.pem +$ openssl req -config ./openssl.cnf -nodes -keyout CA.key -newkey ec:SM2.pem -new -out CA.csr +$ openssl x509 -sm3 -req -days 30 -in CA.csr -extfile ./openssl.cnf -extensions v3_ca -signkey CA.key -out CA.crt +``` + +3. 生成二级证书 + +``` +$ openssl req -config ./openssl.cnf -nodes -keyout SS.key -newkey ec:SM2.pem -new -out SS.csr +$ openssl x509 -sm3 -req -days 30 -in SS.csr -CA CA.crt -CAkey CA.key -extfile ./openssl.cnf -extensions v3_req -out SS.crt -CAcreateserial +``` + +### 场景3:生成TLCP通信证书 + +详见《TLCP协议栈》章节 \ No newline at end of file diff --git "a/docs/zh/docs/ShangMiFeature/\345\225\206\345\257\206\345\272\224\347\224\250\351\205\215\347\275\256.md" "b/docs/zh/docs/ShangMiFeature/\345\225\206\345\257\206\345\272\224\347\224\250\351\205\215\347\275\256.md" deleted file mode 100644 index 1333ed77b..000000000 --- "a/docs/zh/docs/ShangMiFeature/\345\225\206\345\257\206\345\272\224\347\224\250\351\205\215\347\275\256.md" +++ /dev/null @@ -1 +0,0 @@ -TODO diff --git a/docs/zh/menu/index.md b/docs/zh/menu/index.md index ba9380147..2572d1073 100644 --- a/docs/zh/menu/index.md +++ b/docs/zh/menu/index.md @@ -222,3 +222,12 @@ headless: true - [安装与部署]({{< relref "./docs/NestOS/安装与部署.md" >}}) - [使用方法]({{< relref "./docs/NestOS/使用方法.md" >}}) - [功能特性描述]({{< relref "./docs/NestOS/功能特性描述.md" >}}) +- [商密特性指南]({{< relref "./docs/ShangMi/概述.md" >}}) + - [算法库]({{< relref "./docs/ShangMi/算法库.md" >}}) + - [证书]({{< relref "./docs/ShangMi/证书.md" >}}) + - [用户身份鉴别]({{< relref "./docs/ShangMi/用户身份鉴别.md" >}}) + - [SSH协议栈]({{< relref "./docs/ShangMi/SSH协议栈.md" >}}) + - [TLCP协议栈]({{< relref "./docs/ShangMi/TLCP协议栈.md" >}}) + - [内核模块签名]({{< relref "./docs/ShangMi/内核模块签名.md" >}}) + - [文件完整性保护]({{< relref "./docs/ShangMi/文件完整性保护.md" >}}) + - [磁盘加密]({{< relref "./docs/ShangMi/磁盘加密.md" >}}) \ No newline at end of file -- Gitee