On Sat, Sep 24, 2022 at 8:24 AM Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > > On Thu, Sep 08, 2022 at 09:00:32PM +0100, Ignat Korchagin wrote: > > Kernel Key Retention Service[1] is a useful building block to build secure > > production key management systems. One of its interesting features is > > support for asymmetric keys: we can allow a process to use a certain key > > (decrypt or sign data) without actually allowing the process to read the > > cryptographic key material. By doing so we protect our code from certain > > type of attacks, where a process memory memory leak actually leaks a > > potentially highly sensitive cryptographic material. > > > > But unfortunately only RSA algorithm was supported until now, because > > in-kernel ECDSA implementation supported signature verifications only. > > > > This patchset implements in-kernel ECDSA signature generation and adds > > support for ECDSA signing in the key retention service. The key retention > > service support was taken out of a previous unmerged patchset from Lei He[2] > > > > [1]: https://www.kernel.org/doc/html/latest/security/keys/core.html > > [2]: https://patchwork.kernel.org/project/linux-crypto/list/?series=653034&state=* > > > > Ignat Korchagin (2): > > crypto: add ECDSA signature generation support > > crypto: add ECDSA test vectors from RFC 6979 > > > > lei he (2): > > crypto: pkcs8 parser support ECDSA private keys > > crypto: remove unused field in pkcs8_parse_context > > > > crypto/Kconfig | 3 +- > > crypto/Makefile | 4 +- > > crypto/asymmetric_keys/pkcs8.asn1 | 2 +- > > crypto/asymmetric_keys/pkcs8_parser.c | 46 +++- > > crypto/ecc.c | 9 +- > > crypto/ecdsa.c | 373 +++++++++++++++++++++++++- > > crypto/ecprivkey.asn1 | 6 + > > crypto/testmgr.c | 18 ++ > > crypto/testmgr.h | 333 +++++++++++++++++++++++ > > include/crypto/internal/ecc.h | 11 + > > 10 files changed, 788 insertions(+), 17 deletions(-) > > create mode 100644 crypto/ecprivkey.asn1 > > > > -- > > 2.36.1 > > I need acks for patches 3-4 from David. Thanks! Should I resend patches 1-2 here and maybe 3-4 to the linux-keyrings mailing list? > Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt Ignat