On Mon, 2018-03-12 at 19:07 +0200, Tudor Ambarus wrote: > Hi, > > Would you consider using ECDSA in the kernel module signing facility? > When compared with RSA, ECDSA has shorter keys, the key generation > process is faster, the sign operation is faster, but the verify > operation is slower than with RSA. You missed the keyrings list, which is where the module signing utility is discussed. First question is, have you actually tried? It looks like sign-file doesn't do anything RSA specific so if you give it an EC X.509 certificate it will produce an ECDSA signature. I think our kernel internal x509 parsers don't have the EC OIDs, so signature verification will fail; but, especially since we have the rest of the EC machinery in the crypto subsystem, that looks to be simply fixable. James