From: Stefan Berger <stefanb@linux.vnet.ibm.com>
To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
davem@davemloft.net, herbert@gondor.apana.org.au,
dhowells@redhat.com, zohar@linux.ibm.com
Cc: linux-kernel@vger.kernel.org, patrick@puiterwijk.org,
linux-integrity@vger.kernel.org,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v9 9/9] certs: Add support for using elliptic curve keys for signing modules
Date: Thu, 25 Feb 2021 11:08:02 -0500 [thread overview]
Message-ID: <20210225160802.2478700-10-stefanb@linux.vnet.ibm.com> (raw)
In-Reply-To: <20210225160802.2478700-1-stefanb@linux.vnet.ibm.com>
From: Stefan Berger <stefanb@linux.ibm.com>
This patch adds support for using elliptic curve keys for signing
modules. It uses a NIST P384 (secp384r1) key if the user chooses an
elliptic curve key and will have ECDSA support built into the kernel.
Note: A developer choosing an ECDSA key for signing modules has to
manually delete the signing key (rm certs/signing_key.*) when falling
back to building an older version of a kernel that only supports RSA
keys since otherwise ECDSA-signed modules will not be usable when that
older kernel runs and the ECDSA key was still used for signing modules.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
v8->v9:
- Automatically select CONFIG_ECDSA for built-in ECDSA support
- Added help documentation
This patch builds on top Nayna's series for 'kernel build support for
loading the kernel module signing key'.
- https://lkml.org/lkml/2021/2/18/856
---
certs/Kconfig | 22 ++++++++++++++++++++++
certs/Makefile | 14 ++++++++++++++
crypto/asymmetric_keys/pkcs7_parser.c | 4 ++++
3 files changed, 40 insertions(+)
diff --git a/certs/Kconfig b/certs/Kconfig
index 48675ad319db..919db43ce80b 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -15,6 +15,28 @@ config MODULE_SIG_KEY
then the kernel will automatically generate the private key and
certificate as described in Documentation/admin-guide/module-signing.rst
+choice
+ prompt "Type of module signing key to be generated"
+ default MODULE_SIG_KEY_TYPE_RSA
+ help
+ The type of module signing key type to generated. This option
+ does not apply if a #PKCS11 URI is used.
+
+config MODULE_SIG_KEY_TYPE_RSA
+ bool "RSA"
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
+ help
+ Use an RSA key for module signing.
+
+config MODULE_SIG_KEY_TYPE_ECDSA
+ bool "ECDSA"
+ select CRYPTO_ECDSA
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
+ help
+ Use an elliptic curve key (NIST P384) for module signing.
+
+endchoice
+
config SYSTEM_TRUSTED_KEYRING
bool "Provide system-wide ring of trusted keys"
depends on KEYS
diff --git a/certs/Makefile b/certs/Makefile
index 3fe6b73786fa..c487d7021c54 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -69,6 +69,18 @@ else
SIGNER = -signkey $(obj)/signing_key.key
endif # CONFIG_IMA_APPRAISE_MODSIG
+X509TEXT=$(shell openssl x509 -in $(CONFIG_MODULE_SIG_KEY) -text)
+
+# Support user changing key type
+ifdef CONFIG_MODULE_SIG_KEY_TYPE_ECDSA
+keytype_openssl = -newkey ec -pkeyopt ec_paramgen_curve:secp384r1
+$(if $(findstring ecdsa-with-,$(X509TEXT)),,$(shell rm -f $(CONFIG_MODULE_SIG_KEY)))
+endif
+
+ifdef CONFIG_MODULE_SIG_KEY_TYPE_RSA
+$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f $(CONFIG_MODULE_SIG_KEY)))
+endif
+
$(obj)/signing_key.pem: $(obj)/x509.genkey
@$(kecho) "###"
@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
@@ -86,12 +98,14 @@ ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
-batch -x509 -config $(obj)/x509.genkey \
-outform PEM -out $(CA_KEY) \
-keyout $(CA_KEY) -extensions ca_ext \
+ $(keytype_openssl) \
$($(quiet)redirect_openssl)
endif # CONFIG_IMA_APPRAISE_MODSIG
$(Q)openssl req -new -nodes -utf8 \
-batch -config $(obj)/x509.genkey \
-outform PEM -out $(obj)/signing_key.csr \
-keyout $(obj)/signing_key.key -extensions myexts \
+ $(keytype_openssl) \
$($(quiet)redirect_openssl)
$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
-outform PEM -out $(obj)/signing_key.crt $(SIGNER) \
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
index 967329e0a07b..2546ec6a0505 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -269,6 +269,10 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
ctx->sinfo->sig->pkey_algo = "rsa";
ctx->sinfo->sig->encoding = "pkcs1";
break;
+ case OID_id_ecdsa_with_sha256:
+ ctx->sinfo->sig->pkey_algo = "ecdsa";
+ ctx->sinfo->sig->encoding = "x962";
+ break;
default:
printk("Unsupported pkey algo: %u\n", ctx->last_oid);
return -ENOPKG;
--
2.29.2
next prev parent reply other threads:[~2021-02-25 16:10 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 16:07 [PATCH v9 0/9] Add support for x509 certs with NIST P384/256/192 keys Stefan Berger
2021-02-25 16:07 ` [PATCH v9 1/9] crypto: Add support for ECDSA signature verification Stefan Berger
2021-02-25 16:07 ` [PATCH v9 2/9] x509: Detect sm2 keys by their parameters OID Stefan Berger
2021-03-03 23:46 ` Stefan Berger
2021-03-05 7:37 ` Tianjia Zhang
2021-03-05 15:04 ` Stefan Berger
2021-03-08 6:58 ` Tianjia Zhang
2021-02-25 16:07 ` [PATCH v9 3/9] x509: Add support for parsing x509 certs with ECDSA keys Stefan Berger
2021-02-25 16:07 ` [PATCH v9 4/9] ima: Support EC keys for signature verification Stefan Berger
2021-02-25 16:07 ` [PATCH v9 5/9] x509: Add OID for NIST P384 and extend parser for it Stefan Berger
2021-02-25 16:07 ` [PATCH v9 6/9] crypto: Add NIST P384 curve parameters Stefan Berger
2021-03-04 5:28 ` Herbert Xu
2021-03-04 13:59 ` Stefan Berger
2021-03-04 22:31 ` Herbert Xu
2021-02-25 16:08 ` [PATCH v9 7/9] crypto: Add math to support fast NIST P384 Stefan Berger
2021-02-25 16:08 ` [PATCH v9 8/9] ecdsa: Register NIST P384 and extend test suite Stefan Berger
2021-02-25 16:08 ` Stefan Berger [this message]
2021-02-27 3:35 ` [PATCH v9 9/9] certs: Add support for using elliptic curve keys for signing modules yumeng
2021-03-01 13:11 ` Mimi Zohar
2021-03-02 1:04 ` yumeng
2021-03-01 21:19 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210225160802.2478700-10-stefanb@linux.vnet.ibm.com \
--to=stefanb@linux.vnet.ibm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=patrick@puiterwijk.org \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.