All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jarkko Sakkinen <jarkko@kernel.org>
To: Stefan Berger <stefanb@linux.ibm.com>
Cc: jeyu@kernel.org, keyrings@vger.kernel.org, dhowells@redhat.com,
	dwmw2@infradead.org, zohar@linux.ibm.com, nayna@linux.ibm.com,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 0/2] Add support for ECDSA-signed kernel modules
Date: Thu, 3 Jun 2021 09:47:38 +0300	[thread overview]
Message-ID: <20210603064738.pwfq3n7erzmncdmw@kernel.org> (raw)
In-Reply-To: <20210602143537.545132-1-stefanb@linux.ibm.com>

On Wed, Jun 02, 2021 at 10:35:35AM -0400, Stefan Berger wrote:
> This series adds support for ECDSA-signed kernel modules. It also
> attempts to address a kbuild issue where a developer created an ECDSA
> key for signing kernel modules and then builds an older version of the
> kernel, when bisecting the kernel for example, that does not support
> ECDSA keys.
> 
> The first patch addresses the kbuild issue of needing to delete that
> ECDSA key if it is in certs/signing_key.pem and trigger the creation
> of an RSA key. However, for this to work this patch would have to be
> backported to previous versions of the kernel but would also only work
> for the developer if he/she used a stable version of the kernel to which
> this patch was applied. So whether this patch actually achieves the
> wanted effect is not always guaranteed.
> 
> The 2nd patch adds the support for the ECSDA-signed kernel modules.
> 
> This patch depends on the ECDSA support series currently queued here:
> https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc
> 
>   Stefan
> 
> v5:
>   - do not touch the key files if openssl is not installed; likely
>     addresses an issue pointed out by kernel test robot
> 
> v4:
>   - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES)
>   
> v3:
>   - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo
>   - added recommendation to use string hash to Kconfig help text
> 
> v2:
>   - Adjustment to ECDSA key detector string in 2/2
>   - Rephrased cover letter and patch descriptions with Mimi
> 
> 
> Stefan Berger (2):
>   certs: Trigger creation of RSA module signing key if it's not an RSA
>     key
>   certs: Add support for using elliptic curve keys for signing modules
> 
>  certs/Kconfig                         | 26 ++++++++++++++++++++++++++
>  certs/Makefile                        | 21 +++++++++++++++++++++
>  crypto/asymmetric_keys/pkcs7_parser.c |  8 ++++++++
>  3 files changed, 55 insertions(+)
> 
> -- 
> 2.29.2
> 
> 

Please instead send a fix.

/Jarkko

  parent reply	other threads:[~2021-06-03  6:47 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-02 14:35 [PATCH v5 0/2] Add support for ECDSA-signed kernel modules Stefan Berger
2021-06-02 14:35 ` [PATCH v5 1/2] certs: Trigger creation of RSA module signing key if it's not an RSA key Stefan Berger
2021-06-02 14:35 ` [PATCH v5 2/2] certs: Add support for using elliptic curve keys for signing modules Stefan Berger
2021-06-03  6:47 ` Jarkko Sakkinen [this message]
2021-06-03 12:32   ` [PATCH v5 0/2] Add support for ECDSA-signed kernel modules Stefan Berger
2021-06-09 12:44     ` Jarkko Sakkinen
2021-06-09 13:58       ` Stefan Berger
2021-06-10  9:03         ` Jarkko Sakkinen
2021-06-10 11:50           ` Stefan Berger
  -- strict thread matches above, loose matches on Subject: below --
2021-06-01 10:52 Stefan Berger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210603064738.pwfq3n7erzmncdmw@kernel.org \
    --to=jarkko@kernel.org \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=jeyu@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=stefanb@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.