| Message ID | 20210628214304.4165769-1-stefanb@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| Headers | show
Return-Path: <keyrings-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level:
X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable
autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
by smtp.lore.kernel.org (Postfix) with ESMTP id 102D2C11F67
for <keyrings@archiver.kernel.org>; Mon, 28 Jun 2021 21:43:32 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
by mail.kernel.org (Postfix) with ESMTP id E045761D01
for <keyrings@archiver.kernel.org>; Mon, 28 Jun 2021 21:43:31 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S235755AbhF1Vpv (ORCPT <rfc822;keyrings@archiver.kernel.org>);
Mon, 28 Jun 2021 17:45:51 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:61452 "EHLO
mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
by vger.kernel.org with ESMTP id S232143AbhF1Vpt (ORCPT
<rfc822;keyrings@vger.kernel.org>); Mon, 28 Jun 2021 17:45:49 -0400
Received: from pps.filterd (m0098419.ppops.net [127.0.0.1])
by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
15SLYNiw022330;
Mon, 28 Jun 2021 17:43:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com;
h=from : to : cc : subject
: date : message-id : mime-version : content-transfer-encoding; s=pp1;
bh=Amd8PSGivbCw1qlikicw4t27JAQ5ZzwLjDdgFyDAvgA=;
b=TyGLQ0gDnuMW3x82DJgf7VP1AtKMI0gsVYRC7yg/Mky34EwFeXlIXMm158sjG/nePZJM
JGuK1O0zHKWesYb9plAs3pmSsWrgJlJG6F5z4nGt/tjfUMjJr0wRd6WkTjcKGu3FDTiG
3852Am8Z9NrFWy/nASGFsLLBVu+KSpjc7eODFqoStDiO1qLSM7+bVJqRgUCGG3HN0hrO
cXS0ghhJ9s/ldhqemNhkaAD2OY/w3Jahq/1fgDEFzpo12bayDOcG1jIScwlD6G5sAHE9
LxxGeWmhGXpD5I/w7edi/ytvGQR/XbJAYWBU5WpwtDHHxCBwdEJicUJ4g5jr0g4yCzTz UA==
Received: from pps.reinject (localhost [127.0.0.1])
by mx0b-001b2d01.pphosted.com with ESMTP id 39fd08ht66-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Mon, 28 Jun 2021 17:43:15 -0400
Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1])
by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 15SLZjoo025216;
Mon, 28 Jun 2021 17:43:14 -0400
Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com
[169.62.189.10])
by mx0b-001b2d01.pphosted.com with ESMTP id 39fd08ht5u-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Mon, 28 Jun 2021 17:43:14 -0400
Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1])
by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id
15SLcDD7031404;
Mon, 28 Jun 2021 21:43:14 GMT
Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com
[9.57.198.25])
by ppma02dal.us.ibm.com with ESMTP id 39duvbe0bg-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Mon, 28 Jun 2021 21:43:14 +0000
Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com
[9.57.199.107])
by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP
id 15SLhD8B38863318
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Mon, 28 Jun 2021 21:43:13 GMT
Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id 4E7A0124054;
Mon, 28 Jun 2021 21:43:13 +0000 (GMT)
Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id 33547124053;
Mon, 28 Jun 2021 21:43:13 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.47.158.152])
by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP;
Mon, 28 Jun 2021 21:43:13 +0000 (GMT)
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
To: jeyu@kernel.org, keyrings@vger.kernel.org, dhowells@redhat.com,
dwmw2@infradead.org, zohar@linux.ibm.com, jarkko@kernel.org
Cc: nayna@linux.ibm.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, torvalds@linux-foundation.org,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v7 0/2] Add support for ECDSA-signed kernel modules
Date: Mon, 28 Jun 2021 17:43:02 -0400
Message-Id: <20210628214304.4165769-1-stefanb@linux.vnet.ibm.com>
X-Mailer: git-send-email 2.31.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: SULidijcSYsGqoL3jJGOgnVY7QONAe2u
X-Proofpoint-ORIG-GUID: S07y7ZN4v3heSAkXtMMS87vdaQtaU4L5
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790
definitions=2021-06-28_14:2021-06-25,2021-06-28 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
clxscore=1011 spamscore=0
priorityscore=1501 mlxscore=0 adultscore=0 suspectscore=0
lowpriorityscore=0 phishscore=0 malwarescore=0 impostorscore=0
mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx
scancount=1 engine=8.12.0-2104190000 definitions=main-2106280140
Precedence: bulk
List-ID: <keyrings.vger.kernel.org>
X-Mailing-List: keyrings@vger.kernel.org
|
| Series |
Add support for ECDSA-signed kernel modules
|
expand
|
From: Stefan Berger <stefanb@linux.ibm.com> This series adds support for ECDSA-signed kernel modules. It also attempts to address a kbuild issue where a developer created an ECDSA key for signing kernel modules and then builds an older version of the kernel, when bisecting the kernel for example, that does not support ECDSA keys. The first patch addresses the kbuild issue of needing to delete that ECDSA key if it is in certs/signing_key.pem and trigger the creation of an RSA key. However, for this to work this patch would have to be backported to previous versions of the kernel but would also only work for the developer if he/she used a stable version of the kernel to which this patch was applied. So whether this patch actually achieves the wanted effect is not always guaranteed. The 2nd patch adds the support for the ECSDA-signed kernel modules. Stefan v7: - Changed Kconfig reference to kernel version from 5.11 to 5.13 - Redirecting stderr of openssl to NULL device to address kernel robot detected issue - Replaced $(CONFIG_MODULE_SIG_KEY) with "certs/signing_key.pem" following Linus's suggestion v6: - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup patches to be squashed. v5: - do not touch the key files if openssl is not installed; likely addresses an issue pointed out by kernel test robot v4: - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES) v3: - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo - added recommendation to use string hash to Kconfig help text v2: - Adjustment to ECDSA key detector string in 2/2 - Rephrased cover letter and patch descriptions with Mimi Stefan Berger (2): certs: Trigger creation of RSA module signing key if it's not an RSA key certs: Add support for using elliptic curve keys for signing modules certs/Kconfig | 26 ++++++++++++++++++++++++++ certs/Makefile | 21 +++++++++++++++++++++ crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++ 3 files changed, 55 insertions(+)