Re: [PATCH] certs: Add support for using elliptic curve keys for signing modules

From: Mimi Zohar
Date: Fri Feb 19 2021 - 11:53:28 EST

Next message: Lakshmi Ramasubramanian: "Re: [PATCH] of: error: 'const struct kimage' has no member named 'arch'"
Previous message: Theodore Ts'o: "Re: 5.10 LTS Kernel: 2 or 6 years?"
In reply to: Stefan Berger: "[PATCH] certs: Add support for using elliptic curve keys for signing modules"
Next in thread: Stefan Berger: "Re: [PATCH] certs: Add support for using elliptic curve keys for signing modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2021-02-19 at 10:41 -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@xxxxxxxxxxxxx>
>
> This patch adds support for using elliptic curve keys for signing
> modules. It uses a NIST P256 (prime256v1) key if the user chooses an
> elliptic curve key.
>
> A developer choosing an ECDSA key for signing modules has to manually
> delete the signing key (rm certs/signing_key.*) when falling back to
> an older version of a kernel that only supports RSA key since otherwise
> ECDSA-signed modules will not be usable when that older kernel runs.
>
> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>

Thanks, Stefan!

Tested with this patch applied on top of "[PATCH v8 0/4] Add support
for x509 certs with NIST p256 and p192" and "[PATCH v2 0/5] ima: kernel
build support for loading the kernel module" patch sets.

Tested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>

Next message: Lakshmi Ramasubramanian: "Re: [PATCH] of: error: 'const struct kimage' has no member named 'arch'"
Previous message: Theodore Ts'o: "Re: 5.10 LTS Kernel: 2 or 6 years?"
In reply to: Stefan Berger: "[PATCH] certs: Add support for using elliptic curve keys for signing modules"
Next in thread: Stefan Berger: "Re: [PATCH] certs: Add support for using elliptic curve keys for signing modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]