Re: [PATCH v6 0/4] Add support for ECDSA-signed kernel modules

From: Stefan Berger
Date: Mon Jun 14 2021 - 15:21:00 EST

Next message: Jarkko Sakkinen: "Re: [PATCH v6 0/4] Add support for ECDSA-signed kernel modules"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH] qlcnic: Fix an error handling path in 'qlcnic_probe()'"
In reply to: Jarkko Sakkinen: "Re: [PATCH v6 0/4] Add support for ECDSA-signed kernel modules"
Next in thread: Jarkko Sakkinen: "Re: [PATCH v6 0/4] Add support for ECDSA-signed kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/14/21 3:19 PM, Jarkko Sakkinen wrote:

On Thu, Jun 10, 2021 at 08:56:19AM -0400, Stefan Berger wrote:

This series adds support for ECDSA-signed kernel modules. It also
attempts to address a kbuild issue where a developer created an ECDSA
key for signing kernel modules and then builds an older version of the
kernel, when bisecting the kernel for example, that does not support
ECDSA keys.

The first patch addresses the kbuild issue of needing to delete that
ECDSA key if it is in certs/signing_key.pem and trigger the creation
of an RSA key. However, for this to work this patch would have to be
backported to previous versions of the kernel but would also only work
for the developer if he/she used a stable version of the kernel to which
this patch was applied. So whether this patch actually achieves the
wanted effect is not always guaranteed.

The 2nd patch adds the support for the ECSDA-signed kernel modules.

This patch depends on the ECDSA support series currently queued here:
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc

Stefan

v6:
- Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup
patches to be squashed.

v5:
- do not touch the key files if openssl is not installed; likely
addresses an issue pointed out by kernel test robot

v4:
- extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES)
v3: - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo
- added recommendation to use string hash to Kconfig help text

v2:
- Adjustment to ECDSA key detector string in 2/2
- Rephrased cover letter and patch descriptions with Mimi

Stefan Berger (4):
certs: Trigger creation of RSA module signing key if it's not an RSA
key
certs: Check whether openssl tool is available
certs: Add support for using elliptic curve keys for signing modules
certs: Adjustment due to 'Check whether openssl tool is available'

certs/Kconfig | 26 ++++++++++++++++++++++++++
certs/Makefile | 21 +++++++++++++++++++++
crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++
3 files changed, 55 insertions(+)

--
2.29.2

Since you know the commit ID's in

git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git

you could just use fixes-tags and send exactly two patch series. Works
better with various tools (e.g. https://pypi.org/project/b4/)

/Jarkko

So you are not taking v6's 2/4 and 4/4 ?

Next message: Jarkko Sakkinen: "Re: [PATCH v6 0/4] Add support for ECDSA-signed kernel modules"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH] qlcnic: Fix an error handling path in 'qlcnic_probe()'"
In reply to: Jarkko Sakkinen: "Re: [PATCH v6 0/4] Add support for ECDSA-signed kernel modules"
Next in thread: Jarkko Sakkinen: "Re: [PATCH v6 0/4] Add support for ECDSA-signed kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]