Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp473701pxy; Wed, 21 Apr 2021 07:26:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyNiC+/nGqpUu87cp5N5EL4i0uhwJt0QfBL2pKq7/xv6jelq/5SSh39rkIbQvWMvvZMlGQq X-Received: by 2002:a05:6402:199:: with SMTP id r25mr30799194edv.128.1619015198871; Wed, 21 Apr 2021 07:26:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619015198; cv=none; d=google.com; s=arc-20160816; b=bol2J2TXStKVvDjP8L0ZLyYHH0MvVVM2JQ4YdrBkzKp7vUnfwqvj+TyIBT4NwHOL7C lInMld9yJPb6q7pqd2EeMNGKe0qojr+bxtq+x1pQfuRu1hehTKp246m2HyDd1QTW68fB 2DSqIcIXANh6qsmnTzWY+WzBY97TNg9B7d8lz4sSV54lMtE7wfm6WL1vU7UeY3H0Pxsm bjaIdB5j62OXsvKWfuHe5BNsGzabvxdfQ3Mn/paVTqokv8QsyVB71FpdaSs+P/uuXKHi YS6rTL1+I3+rZr6t0h/Wyjt9Na7bxirhXEXzUqoFHIzgLwlwftTHl2rnUAKJPhRIVCWM TN6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=+uGBDd+RM96Cs7ChpcKKWd4UjPMGvUOLc2w5/KoMwww=; b=F6J1HdmIvRg8QADM5UEYMDzcLI1fiG5pbkWpFtsLvCiJIcgx3lhzFDHpw0MGSjd6We EKs0bPjHios8KmMHKri55sXIYbou3FW2+ZNgfkwsYrSnnl7mLl3UHCQfrPJrDN9vYBu0 Rl9q0TqpIsnzq3Sate9t9kIUr/k5hyeyCjBmwcdB9ZVQfRM9gzh45b/BlVJV6yuwXH2s e74SF13P843rz7xAjcsS7Dd6he0UeYG0k4R6mXYe7CEaBS2LCi5J3p0vwUHpNHY7WmgB o2ao9SLtdk1RLXKm38tpKGdxDu0M3oYSoMYxs7R2KWe5Eb3mPtfjVeZy4Jlbr0iTAt9R XlSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=t4aIOOTC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w2si2475417edi.199.2021.04.21.07.26.14; Wed, 21 Apr 2021 07:26:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=t4aIOOTC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240081AbhDUMwy (ORCPT + 99 others); Wed, 21 Apr 2021 08:52:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:34270 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240075AbhDUMwp (ORCPT ); Wed, 21 Apr 2021 08:52:45 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 734D161451; Wed, 21 Apr 2021 12:52:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1619009532; bh=IZaohxyczQIzHLXvsyuiv2v5D/4sNbVy8dDuoz3fFGo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=t4aIOOTC5ix2jgy/a9TcU89YGXm1NuU8SlAsyk607UNWbUwWtM/+3g6lRvPLItq9m fZnhJ6eaunWWrQtYzx6iCDj9PGqNkPWZhU1q12R63kVf6ERMvZKtMrkgA/B7mapb1B Wr8ksXPlU3mRj/bejwntX1cLj6ULhpg8DaB9mczPKgC2fy7spouD4N2UP+uLEPb8py FD8wfmZSi78O9pq0fCD3ddJ5ASn4b+KCRMyd34lT28Pjq47I679K6LDjWp0LdJ0h5Q vwEv3bvob0a4ZkphNyJzNEDytjYPrX7jHbjPfi1UEGRrmPPOWxe/6S17SdCsqBMwDK R28D3o8CrINBQ== Date: Wed, 21 Apr 2021 14:52:06 +0200 From: Jessica Yu To: Stefan Berger Cc: keyrings@vger.kernel.org, dhowells@redhat.com, zohar@linux.ibm.com, jarkko@kernel.org, nayna@linux.ibm.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 2/2] certs: Add support for using elliptic curve keys for signing modules Message-ID: References: <20210408152403.1189121-1-stefanb@linux.ibm.com> <20210408152403.1189121-3-stefanb@linux.ibm.com> <794ef635-de91-9207-f28b-ab6805fd95c9@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <794ef635-de91-9207-f28b-ab6805fd95c9@linux.ibm.com> X-OS: Linux gunter 5.11.12-1-default x86_64 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +++ Stefan Berger [20/04/21 17:02 -0400]: > >On 4/20/21 10:03 AM, Jessica Yu wrote: >>+++ Stefan Berger [08/04/21 11:24 -0400]: >>> >>>diff --git a/crypto/asymmetric_keys/pkcs7_parser.c >>>b/crypto/asymmetric_keys/pkcs7_parser.c >>>index 967329e0a07b..2546ec6a0505 100644 >>>--- a/crypto/asymmetric_keys/pkcs7_parser.c >>>+++ b/crypto/asymmetric_keys/pkcs7_parser.c >>>@@ -269,6 +269,10 @@ int pkcs7_sig_note_pkey_algo(void *context, >>>size_t hdrlen, >>>??????? ctx->sinfo->sig->pkey_algo = "rsa"; >>>??????? ctx->sinfo->sig->encoding = "pkcs1"; >>>??????? break; >>>+??? case OID_id_ecdsa_with_sha256: >>>+??????? ctx->sinfo->sig->pkey_algo = "ecdsa"; >>>+??????? ctx->sinfo->sig->encoding = "x962"; >>>+??????? break; >> >>Hi Stefan, >> >>Does CONFIG_MODULE_SIG_KEY_TYPE_ECDSA have a dependency on >>MODULE_SIG_SHA256? > >You are right, per the code above it does have a dependency on SHA256. >ECDSA is using NIST p384 (secp384r1) for signing and per my tests it >can be paired with all the sha hashes once the code above is extended. >Now when it comes to module signing, should we pair it with a >particular hash? I am not currently aware of a guidance document on >this but sha256 and sha384 seem to be good choices these days, so >maybe selecting ECDSA module signing should have a 'depends on' on >these? Yeah, I would tack on the 'depends on' until the code above has been extended to cover more sha hashes - because currently if someone builds and signs a bunch of modules with an ECDSA key, they will fail to load if they picked something other than sha256. I am unfortunately not knowledgeable enough to suggest an official guideline on choice of hash, but for now it is reasonable to have a 'depends on' for which hashes the code currently supports, so that users don't run into module loading rejection issues. Thanks! Jessica