Skip to content

Backport 1.1: Add driver and dispatch for MLDSA#750

Merged
gilles-peskine-arm merged 8 commits into
Mbed-TLS:tf-psa-crypto-1.1from
gilles-peskine-arm:mldsa-pqcp-driver-backport-1.1
Apr 14, 2026
Merged

Backport 1.1: Add driver and dispatch for MLDSA#750
gilles-peskine-arm merged 8 commits into
Mbed-TLS:tf-psa-crypto-1.1from
gilles-peskine-arm:mldsa-pqcp-driver-backport-1.1

Conversation

@gilles-peskine-arm

@gilles-peskine-arm gilles-peskine-arm commented Apr 9, 2026

Copy link
Copy Markdown
Contributor

Partial backpot of #700: not the new feature (the driver entry points and the dispatch layer for ML-DSA, and the corresponding tests), but the other parts, namely:

  • Create test_suite_dispatch_transparent
  • CMake include path fix for drivers that call the dispatch layer
  • Create scripts/maintainter
  • Stop calling framework/scripts/generate_mldsa_tests.py

PR checklist

@gilles-peskine-arm gilles-peskine-arm added size-s Estimated task size: small (~2d) priority-high High priority - will be reviewed soon needs-ci Needs to pass CI tests labels Apr 9, 2026
@gilles-peskine-arm gilles-peskine-arm force-pushed the mldsa-pqcp-driver-backport-1.1 branch from 483a399 to bcca624 Compare April 9, 2026 18:59
@gilles-peskine-arm

Copy link
Copy Markdown
Contributor Author

This needs a submodule update. I'll wait until #748 is merged, then I'll rebase here.

import os
import sys

sys.path.append(os.path.join(os.path.dirname(__file__),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you run this with python3 tests/scripts/check_committed_generated_files.py --list-targets it will fail with ModuleNotFoundError. Is this expected?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works for me.

Do you have all the required packages in your Python environment? Note that you need framework/util/requirements.txt in addition to scripts/maintainer.requirements.txt. (Cleaning this up is on the Python tech debt pile.)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think this is minor you need to install dilithium-py. It may be worth re-orging the imports, so you can run this without the dependancy. Though the gain is marginal, if anything.

public_key->x, public_key->len,
alg_arg,
message->x, message->len,
signature->x, signature->len + 1),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be buf not signature->x, otherwise presumably we will read past the end of signature->x?

public_key->x, public_key->len,
alg_arg,
message->x, message->len,
signature->x, signature->len - 1),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Presumably this should be buf and signature->len, not signature->x and signature->len - 1, as otherwise we will discount the last byte and not passed the flipped version?

@@ -0,0 +1,26 @@
#!/usr/bin/env python3

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need a copyright header

Only three entry points for now: `export_public_key`,
`sign_message` (deterministic algorithms only since this is a known-answer
test), `verify_message`. More to come as we work on
Mbed-TLS#699 .

Add a few test cases, basically just smoke tests, using test data from
`test_suite_psa_crypto.data`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This directory is currently excluded from `check-python-files.sh`, because
we run it on the CI in an old Python version that doesn't support some of
our new maintainer scripts (specifically, to start with, the MLDSA test
generator).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Let the framework decide about test cases. But let each consuming branch
decide which test suites and which test function it wants.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
No change to what is being tested, but the data flow is now clearer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
@github-project-automation github-project-automation Bot moved this from In Development to Has Approval in Roadmap pull requests (new board) Apr 14, 2026
@gilles-peskine-arm gilles-peskine-arm added approved Design and code approved - may be waiting for CI or backports and removed needs-ci Needs to pass CI tests labels Apr 14, 2026
@gilles-peskine-arm gilles-peskine-arm added this pull request to the merge queue Apr 14, 2026
Merged via the queue into Mbed-TLS:tf-psa-crypto-1.1 with commit 67f5f79 Apr 14, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Design and code approved - may be waiting for CI or backports priority-high High priority - will be reviewed soon size-s Estimated task size: small (~2d)

Development

Successfully merging this pull request may close these issues.

3 participants