| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Feb 2021 11:52:30 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Stefan Berger <stefanb@...ux.vnet.ibm.com>,
keyrings@...r.kernel.org, dhowells@...hat.com, dwmw2@...radead.org,
linux-security-module@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
nayna@...ux.ibm.com, saulo.alessandre@...il.com,
Stefan Berger <stefanb@...ux.ibm.com>
Subject: Re: [PATCH] certs: Add support for using elliptic curve keys for
signing modules
On Fri, 2021-02-19 at 10:41 -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@...ux.ibm.com>
>
> This patch adds support for using elliptic curve keys for signing
> modules. It uses a NIST P256 (prime256v1) key if the user chooses an
> elliptic curve key.
>
> A developer choosing an ECDSA key for signing modules has to manually
> delete the signing key (rm certs/signing_key.*) when falling back to
> an older version of a kernel that only supports RSA key since otherwise
> ECDSA-signed modules will not be usable when that older kernel runs.
>
> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
Thanks, Stefan!
Tested with this patch applied on top of "[PATCH v8 0/4] Add support
for x509 certs with NIST p256 and p192" and "[PATCH v2 0/5] ima: kernel
build support for loading the kernel module" patch sets.
Tested-by: Mimi Zohar <zohar@...ux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
Powered by blists - more mailing lists