From: Stefan Berger <stefanb@linux.vnet.ibm.com>
To: jeyu@kernel.org, keyrings@vger.kernel.org, dhowells@redhat.com,
dwmw2@infradead.org, zohar@linux.ibm.com, jarkko@kernel.org
Cc: nayna@linux.ibm.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, torvalds@linux-foundation.org,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v7 0/2] Add support for ECDSA-signed kernel modules
Date: Mon, 28 Jun 2021 17:43:02 -0400 [thread overview]
Message-ID: <20210628214304.4165769-1-stefanb@linux.vnet.ibm.com> (raw)
From: Stefan Berger <stefanb@linux.ibm.com>
This series adds support for ECDSA-signed kernel modules. It also
attempts to address a kbuild issue where a developer created an ECDSA
key for signing kernel modules and then builds an older version of the
kernel, when bisecting the kernel for example, that does not support
ECDSA keys.
The first patch addresses the kbuild issue of needing to delete that
ECDSA key if it is in certs/signing_key.pem and trigger the creation
of an RSA key. However, for this to work this patch would have to be
backported to previous versions of the kernel but would also only work
for the developer if he/she used a stable version of the kernel to which
this patch was applied. So whether this patch actually achieves the
wanted effect is not always guaranteed.
The 2nd patch adds the support for the ECSDA-signed kernel modules.
Stefan
v7:
- Changed Kconfig reference to kernel version from 5.11 to 5.13
- Redirecting stderr of openssl to NULL device to address kernel robot
detected issue
- Replaced $(CONFIG_MODULE_SIG_KEY) with "certs/signing_key.pem" following
Linus's suggestion
v6:
- Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup
patches to be squashed.
v5:
- do not touch the key files if openssl is not installed; likely
addresses an issue pointed out by kernel test robot
v4:
- extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES)
v3:
- added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo
- added recommendation to use string hash to Kconfig help text
v2:
- Adjustment to ECDSA key detector string in 2/2
- Rephrased cover letter and patch descriptions with Mimi
Stefan Berger (2):
certs: Trigger creation of RSA module signing key if it's not an RSA
key
certs: Add support for using elliptic curve keys for signing modules
certs/Kconfig | 26 ++++++++++++++++++++++++++
certs/Makefile | 21 +++++++++++++++++++++
crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++
3 files changed, 55 insertions(+)
--
2.31.1
next reply other threads:[~2021-06-28 21:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-28 21:43 Stefan Berger [this message]
2021-06-28 21:43 ` [PATCH v7 1/2] certs: Trigger creation of RSA module signing key if it's not an RSA key Stefan Berger
2021-06-28 21:43 ` [PATCH v7 2/2] certs: Add support for using elliptic curve keys for signing modules Stefan Berger
2021-06-29 20:56 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210628214304.4165769-1-stefanb@linux.vnet.ibm.com \
--to=stefanb@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko@kernel.org \
--cc=jeyu@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=stefanb@linux.ibm.com \
--cc=torvalds@linux-foundation.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).