| Message ID | 20210610125623.1553792-1-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Add support for ECDSA-signed kernel modules | expand |
On 6/10/21 8:56 AM, Stefan Berger wrote: > > v6: > - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup > patches to be squashed. Jarkko, take 2/4 and 4/4 and squash them into the respective queued patches. 1/4 and 3/4 are untouched other than what the rebase did to 3/4. Stefan
On Thu, Jun 10, 2021 at 08:56:19AM -0400, Stefan Berger wrote: > This series adds support for ECDSA-signed kernel modules. It also > attempts to address a kbuild issue where a developer created an ECDSA > key for signing kernel modules and then builds an older version of the > kernel, when bisecting the kernel for example, that does not support > ECDSA keys. > > The first patch addresses the kbuild issue of needing to delete that > ECDSA key if it is in certs/signing_key.pem and trigger the creation > of an RSA key. However, for this to work this patch would have to be > backported to previous versions of the kernel but would also only work > for the developer if he/she used a stable version of the kernel to which > this patch was applied. So whether this patch actually achieves the > wanted effect is not always guaranteed. > > The 2nd patch adds the support for the ECSDA-signed kernel modules. > > This patch depends on the ECDSA support series currently queued here: > https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc > > Stefan > > v6: > - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup > patches to be squashed. > > v5: > - do not touch the key files if openssl is not installed; likely > addresses an issue pointed out by kernel test robot > > v4: > - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES) > > v3: - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo > - added recommendation to use string hash to Kconfig help text > > v2: > - Adjustment to ECDSA key detector string in 2/2 > - Rephrased cover letter and patch descriptions with Mimi > > > Stefan Berger (4): > certs: Trigger creation of RSA module signing key if it's not an RSA > key > certs: Check whether openssl tool is available > certs: Add support for using elliptic curve keys for signing modules > certs: Adjustment due to 'Check whether openssl tool is available' > > certs/Kconfig | 26 ++++++++++++++++++++++++++ > certs/Makefile | 21 +++++++++++++++++++++ > crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++ > 3 files changed, 55 insertions(+) > > -- > 2.29.2 > > Since you know the commit ID's in git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git you could just use fixes-tags and send exactly two patch series. Works better with various tools (e.g. https://pypi.org/project/b4/) /Jarkko
On 6/14/21 3:19 PM, Jarkko Sakkinen wrote: > On Thu, Jun 10, 2021 at 08:56:19AM -0400, Stefan Berger wrote: >> This series adds support for ECDSA-signed kernel modules. It also >> attempts to address a kbuild issue where a developer created an ECDSA >> key for signing kernel modules and then builds an older version of the >> kernel, when bisecting the kernel for example, that does not support >> ECDSA keys. >> >> The first patch addresses the kbuild issue of needing to delete that >> ECDSA key if it is in certs/signing_key.pem and trigger the creation >> of an RSA key. However, for this to work this patch would have to be >> backported to previous versions of the kernel but would also only work >> for the developer if he/she used a stable version of the kernel to which >> this patch was applied. So whether this patch actually achieves the >> wanted effect is not always guaranteed. >> >> The 2nd patch adds the support for the ECSDA-signed kernel modules. >> >> This patch depends on the ECDSA support series currently queued here: >> https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc >> >> Stefan >> >> v6: >> - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup >> patches to be squashed. >> >> v5: >> - do not touch the key files if openssl is not installed; likely >> addresses an issue pointed out by kernel test robot >> >> v4: >> - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES) >> >> v3: - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo >> - added recommendation to use string hash to Kconfig help text >> >> v2: >> - Adjustment to ECDSA key detector string in 2/2 >> - Rephrased cover letter and patch descriptions with Mimi >> >> >> Stefan Berger (4): >> certs: Trigger creation of RSA module signing key if it's not an RSA >> key >> certs: Check whether openssl tool is available >> certs: Add support for using elliptic curve keys for signing modules >> certs: Adjustment due to 'Check whether openssl tool is available' >> >> certs/Kconfig | 26 ++++++++++++++++++++++++++ >> certs/Makefile | 21 +++++++++++++++++++++ >> crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++ >> 3 files changed, 55 insertions(+) >> >> -- >> 2.29.2 >> >> > Since you know the commit ID's in > > git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git > > you could just use fixes-tags and send exactly two patch series. Works > better with various tools (e.g. https://pypi.org/project/b4/) > > /Jarkko So you are not taking v6's 2/4 and 4/4 ?
On Mon, Jun 14, 2021 at 10:19:51PM +0300, Jarkko Sakkinen wrote: > On Thu, Jun 10, 2021 at 08:56:19AM -0400, Stefan Berger wrote: > > This series adds support for ECDSA-signed kernel modules. It also > > attempts to address a kbuild issue where a developer created an ECDSA > > key for signing kernel modules and then builds an older version of the > > kernel, when bisecting the kernel for example, that does not support > > ECDSA keys. > > > > The first patch addresses the kbuild issue of needing to delete that > > ECDSA key if it is in certs/signing_key.pem and trigger the creation > > of an RSA key. However, for this to work this patch would have to be > > backported to previous versions of the kernel but would also only work > > for the developer if he/she used a stable version of the kernel to which > > this patch was applied. So whether this patch actually achieves the > > wanted effect is not always guaranteed. > > > > The 2nd patch adds the support for the ECSDA-signed kernel modules. > > > > This patch depends on the ECDSA support series currently queued here: > > https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc > > > > Stefan > > > > v6: > > - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup > > patches to be squashed. > > > > v5: > > - do not touch the key files if openssl is not installed; likely > > addresses an issue pointed out by kernel test robot > > > > v4: > > - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES) > > > > v3: - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo > > - added recommendation to use string hash to Kconfig help text > > > > v2: > > - Adjustment to ECDSA key detector string in 2/2 > > - Rephrased cover letter and patch descriptions with Mimi > > > > > > Stefan Berger (4): > > certs: Trigger creation of RSA module signing key if it's not an RSA > > key > > certs: Check whether openssl tool is available > > certs: Add support for using elliptic curve keys for signing modules > > certs: Adjustment due to 'Check whether openssl tool is available' > > > > certs/Kconfig | 26 ++++++++++++++++++++++++++ > > certs/Makefile | 21 +++++++++++++++++++++ > > crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++ > > 3 files changed, 55 insertions(+) > > > > -- > > 2.29.2 > > > > > > Since you know the commit ID's in > > git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git > > you could just use fixes-tags and send exactly two patch series. Works > better with various tools (e.g. https://pypi.org/project/b4/) And also since then existence of ancestors is guaranteed. /Jarkko
On Mon, Jun 14, 2021 at 03:20:43PM -0400, Stefan Berger wrote: > > On 6/14/21 3:19 PM, Jarkko Sakkinen wrote: > > On Thu, Jun 10, 2021 at 08:56:19AM -0400, Stefan Berger wrote: > > > This series adds support for ECDSA-signed kernel modules. It also > > > attempts to address a kbuild issue where a developer created an ECDSA > > > key for signing kernel modules and then builds an older version of the > > > kernel, when bisecting the kernel for example, that does not support > > > ECDSA keys. > > > > > > The first patch addresses the kbuild issue of needing to delete that > > > ECDSA key if it is in certs/signing_key.pem and trigger the creation > > > of an RSA key. However, for this to work this patch would have to be > > > backported to previous versions of the kernel but would also only work > > > for the developer if he/she used a stable version of the kernel to which > > > this patch was applied. So whether this patch actually achieves the > > > wanted effect is not always guaranteed. > > > > > > The 2nd patch adds the support for the ECSDA-signed kernel modules. > > > > > > This patch depends on the ECDSA support series currently queued here: > > > https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc > > > > > > Stefan > > > > > > v6: > > > - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup > > > patches to be squashed. > > > > > > v5: > > > - do not touch the key files if openssl is not installed; likely > > > addresses an issue pointed out by kernel test robot > > > > > > v4: > > > - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES) > > > v3: - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo > > > - added recommendation to use string hash to Kconfig help text > > > > > > v2: > > > - Adjustment to ECDSA key detector string in 2/2 > > > - Rephrased cover letter and patch descriptions with Mimi > > > > > > > > > Stefan Berger (4): > > > certs: Trigger creation of RSA module signing key if it's not an RSA > > > key > > > certs: Check whether openssl tool is available > > > certs: Add support for using elliptic curve keys for signing modules > > > certs: Adjustment due to 'Check whether openssl tool is available' > > > > > > certs/Kconfig | 26 ++++++++++++++++++++++++++ > > > certs/Makefile | 21 +++++++++++++++++++++ > > > crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++ > > > 3 files changed, 55 insertions(+) > > > > > > -- > > > 2.29.2 > > > > > > > > Since you know the commit ID's in > > > > git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git > > > > you could just use fixes-tags and send exactly two patch series. Works > > better with various tools (e.g. https://pypi.org/project/b4/) > > > > /Jarkko > > > So you are not taking v6's 2/4 and 4/4 ? I applied the fixes and squashed them to appriopriate commits. /Jarkko
This series adds support for ECDSA-signed kernel modules. It also attempts to address a kbuild issue where a developer created an ECDSA key for signing kernel modules and then builds an older version of the kernel, when bisecting the kernel for example, that does not support ECDSA keys. The first patch addresses the kbuild issue of needing to delete that ECDSA key if it is in certs/signing_key.pem and trigger the creation of an RSA key. However, for this to work this patch would have to be backported to previous versions of the kernel but would also only work for the developer if he/she used a stable version of the kernel to which this patch was applied. So whether this patch actually achieves the wanted effect is not always guaranteed. The 2nd patch adds the support for the ECSDA-signed kernel modules. This patch depends on the ECDSA support series currently queued here: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc Stefan v6: - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup patches to be squashed. v5: - do not touch the key files if openssl is not installed; likely addresses an issue pointed out by kernel test robot v4: - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES) v3: - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo - added recommendation to use string hash to Kconfig help text v2: - Adjustment to ECDSA key detector string in 2/2 - Rephrased cover letter and patch descriptions with Mimi Stefan Berger (4): certs: Trigger creation of RSA module signing key if it's not an RSA key certs: Check whether openssl tool is available certs: Add support for using elliptic curve keys for signing modules certs: Adjustment due to 'Check whether openssl tool is available' certs/Kconfig | 26 ++++++++++++++++++++++++++ certs/Makefile | 21 +++++++++++++++++++++ crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++ 3 files changed, 55 insertions(+)