On 2/19/21 11:52 AM, Mimi Zohar wrote:
On Fri, 2021-02-19 at 10:41 -0500, Stefan Berger wrote:
From: Stefan Berger <stefanb@xxxxxxxxxxxxx>
This patch adds support for using elliptic curve keys for signing
modules. It uses a NIST P256 (prime256v1) key if the user chooses an
elliptic curve key.
A developer choosing an ECDSA key for signing modules has to manually
delete the signing key (rm certs/signing_key.*) when falling back to
an older version of a kernel that only supports RSA key since otherwise
ECDSA-signed modules will not be usable when that older kernel runs.
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
Thanks, Stefan!
Tested with this patch applied on top of "[PATCH v8 0/4] Add support
for x509 certs with NIST p256 and p192" and "[PATCH v2 0/5] ima: kernel
build support for loading the kernel module" patch sets.
With Saulo's NIST p384 support we will now be able to improve this patch
to use secp384r1 (NIST P384), which is probably the better equivalent to
the current RSA 4096.
Stefan
Tested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>