Am Montag, 12. März 2018, 19:09:18 CET schrieb James Bottomley: Hi James, > On Mon, 2018-03-12 at 19:07 +0200, Tudor Ambarus wrote: > > Hi, > > > > Would you consider using ECDSA in the kernel module signing facility? > > When compared with RSA, ECDSA has shorter keys, the key generation > > process is faster, the sign operation is faster, but the verify > > operation is slower than with RSA. > > You missed the keyrings list, which is where the module signing utility > is discussed. > > First question is, have you actually tried? It looks like sign-file > doesn't do anything RSA specific so if you give it an EC X.509 > certificate it will produce an ECDSA signature. > > I think our kernel internal x509 parsers don't have the EC OIDs, so > signature verification will fail; but, especially since we have the > rest of the EC machinery in the crypto subsystem, that looks to be > simply fixable. ECDSA is not implemented currently in the kernel crypto API. > > James Ciao Stephan