| Message ID | 20210629213421.60320-1-stefanb@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Add support for ECDSA-signed kernel modules | expand |
On Tue, Jun 29, 2021 at 05:34:19PM -0400, Stefan Berger wrote: > From: Stefan Berger <stefanb@linux.ibm.com> > > This series adds support for ECDSA-signed kernel modules. It also > attempts to address a kbuild issue where a developer created an ECDSA > key for signing kernel modules and then builds an older version of the > kernel, when bisecting the kernel for example, that does not support > ECDSA keys. > > The first patch addresses the kbuild issue of needing to delete that > ECDSA key if it is in certs/signing_key.pem and trigger the creation > of an RSA key. However, for this to work this patch would have to be > backported to previous versions of the kernel but would also only work > for the developer if he/she used a stable version of the kernel to which > this patch was applied. So whether this patch actually achieves the > wanted effect is not always guaranteed. > > The 2nd patch adds the support for the ECSDA-signed kernel modules. > > Stefan > > v8: > - Removed R-b tags and reordered Cc tags > > v7: > - Changed Kconfig reference to kernel version from 5.11 to 5.13 > - Redirecting stderr of openssl to NULL device to address kernel robot > detected issue > - Replaced $(CONFIG_MODULE_SIG_KEY) with "certs/signing_key.pem" following > Linus's suggestion > > v6: > - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup > patches to be squashed. > > v5: > - do not touch the key files if openssl is not installed; likely > addresses an issue pointed out by kernel test robot > > v4: > - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES) > > v3: > - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo > - added recommendation to use string hash to Kconfig help text > > v2: > - Adjustment to ECDSA key detector string in 2/2 > - Rephrased cover letter and patch descriptions with Mimi > > > Stefan Berger (2): > certs: Trigger creation of RSA module signing key if it's not an RSA > key > certs: Add support for using elliptic curve keys for signing modules > > certs/Kconfig | 26 ++++++++++++++++++++++++++ > certs/Makefile | 21 +++++++++++++++++++++ > crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++ > 3 files changed, 55 insertions(+) > > -- > 2.31.1 > > LGTM For both: Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> /Jarkko
From: Stefan Berger <stefanb@linux.ibm.com> This series adds support for ECDSA-signed kernel modules. It also attempts to address a kbuild issue where a developer created an ECDSA key for signing kernel modules and then builds an older version of the kernel, when bisecting the kernel for example, that does not support ECDSA keys. The first patch addresses the kbuild issue of needing to delete that ECDSA key if it is in certs/signing_key.pem and trigger the creation of an RSA key. However, for this to work this patch would have to be backported to previous versions of the kernel but would also only work for the developer if he/she used a stable version of the kernel to which this patch was applied. So whether this patch actually achieves the wanted effect is not always guaranteed. The 2nd patch adds the support for the ECSDA-signed kernel modules. Stefan v8: - Removed R-b tags and reordered Cc tags v7: - Changed Kconfig reference to kernel version from 5.11 to 5.13 - Redirecting stderr of openssl to NULL device to address kernel robot detected issue - Replaced $(CONFIG_MODULE_SIG_KEY) with "certs/signing_key.pem" following Linus's suggestion v6: - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup patches to be squashed. v5: - do not touch the key files if openssl is not installed; likely addresses an issue pointed out by kernel test robot v4: - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES) v3: - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo - added recommendation to use string hash to Kconfig help text v2: - Adjustment to ECDSA key detector string in 2/2 - Rephrased cover letter and patch descriptions with Mimi Stefan Berger (2): certs: Trigger creation of RSA module signing key if it's not an RSA key certs: Add support for using elliptic curve keys for signing modules certs/Kconfig | 26 ++++++++++++++++++++++++++ certs/Makefile | 21 +++++++++++++++++++++ crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++ 3 files changed, 55 insertions(+)