Re: [PATCH] certs: Add support for using elliptic curve keys for signing modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/19/21 11:52 AM, Mimi Zohar wrote:
On Fri, 2021-02-19 at 10:41 -0500, Stefan Berger wrote:
From: Stefan Berger <stefanb@xxxxxxxxxxxxx>

This patch adds support for using elliptic curve keys for signing
modules. It uses a NIST P256 (prime256v1) key if the user chooses an
elliptic curve key.

A developer choosing an ECDSA key for signing modules has to manually
delete the signing key (rm certs/signing_key.*) when falling back to
an older version of a kernel that only supports RSA key since otherwise
ECDSA-signed modules will not be usable when that older kernel runs.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
Thanks, Stefan!

Tested with this patch applied on top of "[PATCH v8 0/4] Add support
for x509 certs with NIST p256 and p192" and "[PATCH v2 0/5] ima: kernel
build support for loading the kernel module" patch sets.

With Saulo's NIST p384 support we will now be able to improve this patch to use secp384r1 (NIST P384), which is probably the better equivalent to the current RSA 4096.


   Stefan



Tested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux