Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp629532pxj;
        Wed, 2 Jun 2021 07:38:24 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwB2Wj2hiTKZeccQiaJuq0vgdF+cpN0sb2PD33m0d6Mp+GRkEqHqTXge0LNS+0NQVr0VtNo
X-Received: by 2002:a17:906:cc14:: with SMTP id ml20mr12725957ejb.515.1622644704614;
        Wed, 02 Jun 2021 07:38:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622644704; cv=none;
        d=google.com; s=arc-20160816;
        b=TPU8kjXezD7bztSQzlWj3R8Rp6P2zotCAcTzmg0vnlOhTAV7aH5N2tMx8lK2cHjT7r
         fHVSrP7+DnXPSJPWDMtNJoZ8ykiGAzcJttz5qlrSteY3GtLdwoLiIZOcSD3Bs4+EKhyp
         M91HVZ9o0lNDCrM9xFgJ1y53CCfn0Abz98FxFI7OPNMSPfvyjs6aKiQKLMVFpMn+VbKK
         AdhYfpTcUjPW1jITzxsctOXenj9a/P6VgjWlCM1NClvX0AoLx/hIQMtxBRvFhJSNvsHN
         6eqXsyPDHMET+Hy3DBb3njJgVfSG5TNRWUlHjKRwT3SAn4non2iU68YNK5kpHT2heiCT
         /AZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:content-transfer-encoding
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=fbGuDVrQjyoYAum2TK48412eeGbx6tBnf9gQhkNmQ14=;
        b=q/ZdOyG4RX5dlyLJoU8AZcPg1B6wYGNrldFZ0YnJNIdXflb9CqOnwQ/SOwqvog+VuE
         Mi1MvqeeSxrFyNWRc1hyAdE6FA7rI7+f3M5X7Nb2YqIjRIbGfWU2QC/0qgQElcaC2HPC
         X77fyJ1+rYaPTtlcAh9AEdbIA3xoXsvMwGPvGfj6q+m1W9Q40lPkqIEo9sSjLkCGQtUl
         HjYGeXIdHX3yuN9BEUx9A0v7+z/H6S62XFB0IVyjkqtID8C2D5iZL4+eGvNSe4jr6WgE
         IHbvk/WkOJKBSrvpFF2yV8ZZOyXNXTmLOUach0+z7MkS9ZvWutAnZYIzDZ1ZuFZOOGyD
         1sEA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b="hAAVa3/T";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id f12si50532ejt.376.2021.06.02.07.38.01;
        Wed, 02 Jun 2021 07:38:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b="hAAVa3/T";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231826AbhFBOhw (ORCPT <rfc822;lukasz.wituch.linux@gmail.com>
        + 99 others); Wed, 2 Jun 2021 10:37:52 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:54990 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S230462AbhFBOhq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Jun 2021 10:37:46 -0400
Received: from pps.filterd (m0098396.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 152EWgZR017523;
        Wed, 2 Jun 2021 10:35:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject
 : date : message-id : content-transfer-encoding : mime-version; s=pp1;
 bh=fbGuDVrQjyoYAum2TK48412eeGbx6tBnf9gQhkNmQ14=;
 b=hAAVa3/TxqtLqICwYxIH+0drY2tclk6HBpo3/zH9LN8EBe6eBR+AtIGNa8xq95RFHptQ
 d/5Jb5En+CUT+LE+vExch7+NfNV9oqBra/Xq6bHFaLyFkgPZFtBWLNuoybJmaNDlhAMV
 jCSrgQcZhPasQ8W7cX7N3dlO3T1eLT1ggS7K7QXtkzI4F8aCPN5Wdy7Qwjl/WQZMvxiD
 t+ANrF/AJi9yhuV4tI1XLIEbZYD4HLUImXEE+udVfX+S6UFwRmeuhQOCSyNhxkRuASQL
 jWUOUiPEmW4ZQsk9IEjBpEpNSwzKmnW13KSx3EHaq11nOa9menbwcGyaGUBqHvfNw8s1 tQ== 
Received: from pps.reinject (localhost [127.0.0.1])
        by mx0a-001b2d01.pphosted.com with ESMTP id 38xasrac2p-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Wed, 02 Jun 2021 10:35:56 -0400
Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1])
        by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 152EZfB6032720;
        Wed, 2 Jun 2021 10:35:56 -0400
Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122])
        by mx0a-001b2d01.pphosted.com with ESMTP id 38xasrac2b-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Wed, 02 Jun 2021 10:35:56 -0400
Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1])
        by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 152EX9ET026318;
        Wed, 2 Jun 2021 14:35:55 GMT
Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29])
        by ppma04dal.us.ibm.com with ESMTP id 38ud8a06ca-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Wed, 02 Jun 2021 14:35:55 +0000
Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107])
        by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 152EZs8F27328936
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 2 Jun 2021 14:35:54 GMT
Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 82C9412405A;
        Wed,  2 Jun 2021 14:35:54 +0000 (GMT)
Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 728CF124052;
        Wed,  2 Jun 2021 14:35:54 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.47.158.152])
        by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP;
        Wed,  2 Jun 2021 14:35:54 +0000 (GMT)
From:   Stefan Berger <stefanb@linux.ibm.com>
To:     jeyu@kernel.org, keyrings@vger.kernel.org, dhowells@redhat.com,
        dwmw2@infradead.org, zohar@linux.ibm.com, jarkko@kernel.org
Cc:     nayna@linux.ibm.com, linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v5 0/2] Add support for ECDSA-signed kernel modules
Date:   Wed,  2 Jun 2021 10:35:35 -0400
Message-Id: <20210602143537.545132-1-stefanb@linux.ibm.com>
X-Mailer: git-send-email 2.31.1
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: J7JqYtna1i-R0euklFNysD3am0wazT0P
X-Proofpoint-ORIG-GUID: dxrR5DERw3OztB_rOshppdtd0jAhzNeB
Content-Transfer-Encoding: 8bit
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761
 definitions=2021-06-02_07:2021-06-02,2021-06-02 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 bulkscore=0
 adultscore=0 clxscore=1015 mlxscore=0 mlxlogscore=999 phishscore=0
 spamscore=0 priorityscore=1501 malwarescore=0 impostorscore=0
 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2104190000 definitions=main-2106020095
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This series adds support for ECDSA-signed kernel modules. It also
attempts to address a kbuild issue where a developer created an ECDSA
key for signing kernel modules and then builds an older version of the
kernel, when bisecting the kernel for example, that does not support
ECDSA keys.

The first patch addresses the kbuild issue of needing to delete that
ECDSA key if it is in certs/signing_key.pem and trigger the creation
of an RSA key. However, for this to work this patch would have to be
backported to previous versions of the kernel but would also only work
for the developer if he/she used a stable version of the kernel to which
this patch was applied. So whether this patch actually achieves the
wanted effect is not always guaranteed.

The 2nd patch adds the support for the ECSDA-signed kernel modules.

This patch depends on the ECDSA support series currently queued here:
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc

  Stefan

v5:
  - do not touch the key files if openssl is not installed; likely
    addresses an issue pointed out by kernel test robot

v4:
  - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES)
  
v3:
  - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo
  - added recommendation to use string hash to Kconfig help text

v2:
  - Adjustment to ECDSA key detector string in 2/2
  - Rephrased cover letter and patch descriptions with Mimi


Stefan Berger (2):
  certs: Trigger creation of RSA module signing key if it's not an RSA
    key
  certs: Add support for using elliptic curve keys for signing modules

 certs/Kconfig                         | 26 ++++++++++++++++++++++++++
 certs/Makefile                        | 21 +++++++++++++++++++++
 crypto/asymmetric_keys/pkcs7_parser.c |  8 ++++++++
 3 files changed, 55 insertions(+)

-- 
2.29.2