linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v3 0/2] Add support for ECDSA-signed kernel modules
@ 2021-04-21 19:43 Stefan Berger
  2021-04-21 19:43 ` [PATCH v3 1/2] certs: Trigger creation of RSA module signing key if it's not an RSA key Stefan Berger
  2021-04-21 19:43 ` [PATCH v3 2/2] certs: Add support for using elliptic curve keys for signing modules Stefan Berger
  0 siblings, 2 replies; 5+ messages in thread
From: Stefan Berger @ 2021-04-21 19:43 UTC (permalink / raw)
  To: jeyu, keyrings, dhowells, zohar, jarkko
  Cc: nayna, linux-integrity, linux-security-module, linux-kernel,
	Stefan Berger

This series adds support for ECDSA-signed kernel modules. It also
attempts to address a kbuild issue where a developer created an ECDSA
key for signing kernel modules and then builds an older version of the
kernel, when bisecting the kernel for example, that does not support
ECDSA keys.

The first patch addresses the kbuild issue of needing to delete that
ECDSA key if it is in certs/signing_key.pem and trigger the creation
of an RSA key. However, for this to work this patch would have to be
backported to previous versions of the kernel but would also only work
for the developer if he/she used a stable version of the kernel to which
this patch was applied. So whether this patch actually achieves the
wanted effect is not always guaranteed.

The 2nd patch adds the support for the ECSDA-signed kernel modules.

This patch depends on the ECDSA support series currently queued here:
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc

  Stefan

v3:
  - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo
  - added recommendation to use string hash to Kconfig help text

v2:
  - Adjustment to ECDSA key detector string in 2/2
  - Rephrased cover letter and patch descriptions with Mimi



Stefan Berger (2):
  certs: Trigger creation of RSA module signing key if it's not an RSA
    key
  certs: Add support for using elliptic curve keys for signing modules

 certs/Kconfig                         | 26 ++++++++++++++++++++++++++
 certs/Makefile                        | 14 ++++++++++++++
 crypto/asymmetric_keys/pkcs7_parser.c |  8 ++++++++
 3 files changed, 48 insertions(+)

-- 
2.29.2


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-04-27 23:46 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-21 19:43 [PATCH v3 0/2] Add support for ECDSA-signed kernel modules Stefan Berger
2021-04-21 19:43 ` [PATCH v3 1/2] certs: Trigger creation of RSA module signing key if it's not an RSA key Stefan Berger
2021-04-27 23:46   ` Jarkko Sakkinen
2021-04-21 19:43 ` [PATCH v3 2/2] certs: Add support for using elliptic curve keys for signing modules Stefan Berger
2021-04-27 23:46   ` Jarkko Sakkinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).