From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1234C433DB for ; Mon, 1 Feb 2021 10:37:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8292764E9C for ; Mon, 1 Feb 2021 10:37:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233225AbhBAKh1 (ORCPT ); Mon, 1 Feb 2021 05:37:27 -0500 Received: from out4436.biz.mail.alibaba.com ([47.88.44.36]:6998 "EHLO out4436.biz.mail.alibaba.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233100AbhBAKhZ (ORCPT ); Mon, 1 Feb 2021 05:37:25 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R251e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04426;MF=tianjia.zhang@linux.alibaba.com;NM=1;PH=DS;RN=10;SR=0;TI=SMTPD_---0UNZ0iAR_1612175770; Received: from B-455UMD6M-2027.local(mailfrom:tianjia.zhang@linux.alibaba.com fp:SMTPD_---0UNZ0iAR_1612175770) by smtp.aliyun-inc.com(127.0.0.1); Mon, 01 Feb 2021 18:36:11 +0800 Subject: Re: [PATCH v6 4/4] ima: Support EC keys for signature verification To: Stefan Berger , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, patrick@puiterwijk.org, linux-integrity@vger.kernel.org, Vitaly Chikunov , Mimi Zohar , Dmitry Kasatkin , David Howells References: <20210131233301.1301787-1-stefanb@linux.ibm.com> <20210131233301.1301787-5-stefanb@linux.ibm.com> From: Tianjia Zhang Message-ID: Date: Mon, 1 Feb 2021 18:36:10 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: <20210131233301.1301787-5-stefanb@linux.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On 2/1/21 7:33 AM, Stefan Berger wrote: > Add support for IMA signature verification for EC keys. Since SHA type > of hashes can be used by RSA and ECDSA signature schemes we need to > look at the key and derive from the key which signature scheme to use. > Since this can be applied to all types of keys, we change the selection > of the encoding type to be driven by the key's signature scheme rather > than by the hash type. > > Signed-off-by: Stefan Berger > Reviewed-by: Vitaly Chikunov > Cc: Mimi Zohar > Cc: Dmitry Kasatkin > Cc: linux-integrity@vger.kernel.org > Cc: Vitaly Chikunov > Cc: Tianjia Zhang > Cc: David Howells > Cc: keyrings@vger.kernel.org > --- > include/keys/asymmetric-type.h | 6 ++++++ > security/integrity/digsig_asymmetric.c | 29 ++++++++++++-------------- > 2 files changed, 19 insertions(+), 16 deletions(-) > > diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h > index a29d3ff2e7e8..c432fdb8547f 100644 > --- a/include/keys/asymmetric-type.h > +++ b/include/keys/asymmetric-type.h > @@ -72,6 +72,12 @@ const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key) > return key->payload.data[asym_key_ids]; > } > > +static inline > +const struct public_key *asymmetric_key_public_key(const struct key *key) > +{ > + return key->payload.data[asym_crypto]; > +} > + > extern struct key *find_asymmetric_key(struct key *keyring, > const struct asymmetric_key_id *id_0, > const struct asymmetric_key_id *id_1, > diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c > index a662024b4c70..29002d016607 100644 > --- a/security/integrity/digsig_asymmetric.c > +++ b/security/integrity/digsig_asymmetric.c > @@ -84,6 +84,7 @@ int asymmetric_verify(struct key *keyring, const char *sig, > { > struct public_key_signature pks; > struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig; > + const struct public_key *pk; > struct key *key; > int ret; > > @@ -105,23 +106,19 @@ int asymmetric_verify(struct key *keyring, const char *sig, > memset(&pks, 0, sizeof(pks)); > > pks.hash_algo = hash_algo_name[hdr->hash_algo]; > - switch (hdr->hash_algo) { > - case HASH_ALGO_STREEBOG_256: > - case HASH_ALGO_STREEBOG_512: > - /* EC-RDSA and Streebog should go together. */ > - pks.pkey_algo = "ecrdsa"; > - pks.encoding = "raw"; > - break; > - case HASH_ALGO_SM3_256: > - /* SM2 and SM3 should go together. */ > - pks.pkey_algo = "sm2"; > - pks.encoding = "raw"; > - break; > - default: > - pks.pkey_algo = "rsa"; > + > + pk = asymmetric_key_public_key(key); > + pks.pkey_algo = pk->pkey_algo; > + if (!strcmp(pk->pkey_algo, "rsa")) > pks.encoding = "pkcs1"; > - break; > - } > + else if (!strcmp(pk->pkey_algo, "ecdsa")) > + pks.encoding = "x962"; > + else if (!strcmp(pk->pkey_algo, "ecrdsa") || > + !strcmp(pk->pkey_algo, "sm2")) > + pks.encoding = "raw"; > + else > + return -ENOPKG; > + > pks.digest = (u8 *)data; > pks.digest_size = datalen; > pks.s = hdr->sig; > Looks good to me, so Reviewed-by: Tianjia Zhang Thanks, Tianjia