Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp492628pxj;
        Thu, 10 Jun 2021 05:58:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJx0bvsZJiGJRoaB3WFVSAfS9JGrXyKjwCDuEIcEwXnZnY6D5ae8O850HfNCK1ABeYYYzMoN
X-Received: by 2002:aa7:ca1a:: with SMTP id y26mr4536920eds.314.1623329910846;
        Thu, 10 Jun 2021 05:58:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623329910; cv=none;
        d=google.com; s=arc-20160816;
        b=luNz9XnKYd/axuvgTutwiSpVOQ2B5bt32+jM43zwaD1De29NoYFN1CXU7NJEjqfm3F
         Wrl59hCoGmZoq5WTAELNs7j3iAUfzO4mnqe52R/s8eTL4UVxm7HzErLDL1dujLIQNXRp
         hW8JBgqjzyh5m1noSzILLlEZR0gqT3rmtosCsGgbk6UoqtNDi2mWVMtyZOreY9qvx8ws
         qpiF3s4ivTjYfJNcGanPfT4kzoPSeLLMs2BW0bPrW3A8Poc5YUH7dWRNd7s4rmvMIEzE
         8U6MzySPcchJJSNwU9rotM/bx+egnNlsz9etHrgY5VTmzv+IvpR8SIpJsSTap6jeX78l
         MWbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:content-transfer-encoding
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=5x40kqRWwepV3BV+Cer52V1hRoTHTzXvBj4e9C41Z4s=;
        b=GNSS3mh+Ujpe64MIDKFvmcvD4oiFTga+BuODdUuLQT9xGQ/Wt7QoZ7gkbhe2tUF91h
         jvezsySR18+TQg06+ibb4eDHZBVfyOcVpsOBUqQIk/+TG6VcS/E4yIOergo9DUlJBk3m
         zv3AU1i14u/aneyjktFnJvifYrScnXnqIzqYpHHxvCm78gTK7UOJXtS7ckJaVVMzFH2Y
         US/FnnsVn5mBwrqdbgamC6rYa4WxgsCY0/fYtOhtdvShTU/yT6VXyLE80m3lsqnrWasi
         BssbJeZCfEg4CXWzPJDZXLuiJk1eQ6pzkYoIX6geUpHwVKGYVbEDKjeEjh8DrqlDVD+E
         EwhQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=plHqlt2T;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s18si2210726ejq.479.2021.06.10.05.58.07;
        Thu, 10 Jun 2021 05:58:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=plHqlt2T;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230407AbhFJM6h (ORCPT <rfc822;lyj496332184@gmail.com>
        + 99 others); Thu, 10 Jun 2021 08:58:37 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:5418 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S230230AbhFJM6d (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 Jun 2021 08:58:33 -0400
Received: from pps.filterd (m0098410.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15ACXH1P018120;
        Thu, 10 Jun 2021 08:56:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject
 : date : message-id : content-transfer-encoding : mime-version; s=pp1;
 bh=5x40kqRWwepV3BV+Cer52V1hRoTHTzXvBj4e9C41Z4s=;
 b=plHqlt2TA35rmJQDIbOh2kA2aUMtRwqMCPkvj2wLU+qbZzu8LrKTkhQeq27KZ3ug2jZy
 vwFFzpiFeTbkdJiSnC9NLgX5ABr3bjTZ2tHveBam9bV7xGwkWz9M5zQpd2zggMQtwbhP
 WlBOs/LEXCGAraTd4FX9IqI+YtEfvlhrU3YtphzRC63X89SfL9hpCCEvuTwiQ/s/xtTa
 eQXhTB8YrUTvvYFfe9Zz/nOjDu/nbyq2D3WvNEo4LBdJHemWJx3A2Xo6u0Cs0a/loSd7
 EUMyhzVckIJiO2mN3HMZB/FIBM/iDH1HpEnW3kgUGdSUC4pe/g2eWrETO6fiQZhW0VNh FA== 
Received: from pps.reinject (localhost [127.0.0.1])
        by mx0a-001b2d01.pphosted.com with ESMTP id 393gujvffv-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Thu, 10 Jun 2021 08:56:32 -0400
Received: from m0098410.ppops.net (m0098410.ppops.net [127.0.0.1])
        by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 15ACY8Mv021142;
        Thu, 10 Jun 2021 08:56:32 -0400
Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253])
        by mx0a-001b2d01.pphosted.com with ESMTP id 393gujvffc-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Thu, 10 Jun 2021 08:56:32 -0400
Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1])
        by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 15ACh39i018727;
        Thu, 10 Jun 2021 12:56:30 GMT
Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28])
        by ppma01wdc.us.ibm.com with ESMTP id 3900w9g3ap-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Thu, 10 Jun 2021 12:56:30 +0000
Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109])
        by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 15ACuUHE36700534
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Thu, 10 Jun 2021 12:56:30 GMT
Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 0C0BB112065;
        Thu, 10 Jun 2021 12:56:30 +0000 (GMT)
Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id E73E4112063;
        Thu, 10 Jun 2021 12:56:29 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.47.158.152])
        by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP;
        Thu, 10 Jun 2021 12:56:29 +0000 (GMT)
From:   Stefan Berger <stefanb@linux.ibm.com>
To:     jeyu@kernel.org, keyrings@vger.kernel.org, dhowells@redhat.com,
        dwmw2@infradead.org, zohar@linux.ibm.com, jarkko@kernel.org
Cc:     nayna@linux.ibm.com, linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v6 0/4] Add support for ECDSA-signed kernel modules
Date:   Thu, 10 Jun 2021 08:56:19 -0400
Message-Id: <20210610125623.1553792-1-stefanb@linux.ibm.com>
X-Mailer: git-send-email 2.31.1
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: 1zgUTIvqevtXceP5emHJioNOfQ_A970s
X-Proofpoint-ORIG-GUID: uqZih1eoH0XXgO7Mh3TqFkYUQvfRTdj6
Content-Transfer-Encoding: 8bit
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761
 definitions=2021-06-10_07:2021-06-10,2021-06-10 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 spamscore=0
 mlxlogscore=999 phishscore=0 bulkscore=0 adultscore=0 clxscore=1015
 lowpriorityscore=0 malwarescore=0 suspectscore=0 mlxscore=0
 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2104190000 definitions=main-2106100081
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This series adds support for ECDSA-signed kernel modules. It also
attempts to address a kbuild issue where a developer created an ECDSA
key for signing kernel modules and then builds an older version of the
kernel, when bisecting the kernel for example, that does not support
ECDSA keys.

The first patch addresses the kbuild issue of needing to delete that
ECDSA key if it is in certs/signing_key.pem and trigger the creation
of an RSA key. However, for this to work this patch would have to be
backported to previous versions of the kernel but would also only work
for the developer if he/she used a stable version of the kernel to which
this patch was applied. So whether this patch actually achieves the
wanted effect is not always guaranteed.

The 2nd patch adds the support for the ECSDA-signed kernel modules.

This patch depends on the ECDSA support series currently queued here:
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc

  Stefan

v6:
  - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup
    patches to be squashed.

v5:
  - do not touch the key files if openssl is not installed; likely
    addresses an issue pointed out by kernel test robot

v4:
  - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES)
  
v3:
  - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo
  - added recommendation to use string hash to Kconfig help text

v2:
  - Adjustment to ECDSA key detector string in 2/2
  - Rephrased cover letter and patch descriptions with Mimi


Stefan Berger (4):
  certs: Trigger creation of RSA module signing key if it's not an RSA
    key
  certs: Check whether openssl tool is available
  certs: Add support for using elliptic curve keys for signing modules
  certs: Adjustment due to 'Check whether openssl tool is available'

 certs/Kconfig                         | 26 ++++++++++++++++++++++++++
 certs/Makefile                        | 21 +++++++++++++++++++++
 crypto/asymmetric_keys/pkcs7_parser.c |  8 ++++++++
 3 files changed, 55 insertions(+)

-- 
2.29.2