Re: [PATCH] certs: Add support for using elliptic curve keys for signing modules

From: Stefan Berger
Date: Mon Feb 22 2021 - 09:39:08 EST

Next message: Roger Pau Monné: "Re: [PATCH v3 5/8] xen/events: link interdomain events to associated xenbus device"
Previous message: Jens Axboe: "Re: [RFC PATCH 0/4] Asynchronous passthrough ioctl"
In reply to: Mimi Zohar: "Re: [PATCH] certs: Add support for using elliptic curve keys for signing modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/19/21 11:52 AM, Mimi Zohar wrote:

On Fri, 2021-02-19 at 10:41 -0500, Stefan Berger wrote:

From: Stefan Berger <stefanb@xxxxxxxxxxxxx>

This patch adds support for using elliptic curve keys for signing
modules. It uses a NIST P256 (prime256v1) key if the user chooses an
elliptic curve key.

A developer choosing an ECDSA key for signing modules has to manually
delete the signing key (rm certs/signing_key.*) when falling back to
an older version of a kernel that only supports RSA key since otherwise
ECDSA-signed modules will not be usable when that older kernel runs.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>

Thanks, Stefan!

Tested with this patch applied on top of "[PATCH v8 0/4] Add support
for x509 certs with NIST p256 and p192" and "[PATCH v2 0/5] ima: kernel
build support for loading the kernel module" patch sets.

With Saulo's NIST p384 support we will now be able to improve this patch to use secp384r1 (NIST P384), which is probably the better equivalent to the current RSA 4096.

Stefan

Tested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>

Next message: Roger Pau Monné: "Re: [PATCH v3 5/8] xen/events: link interdomain events to associated xenbus device"
Previous message: Jens Axboe: "Re: [RFC PATCH 0/4] Asynchronous passthrough ioctl"
In reply to: Mimi Zohar: "Re: [PATCH] certs: Add support for using elliptic curve keys for signing modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]