Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3952580pxv; Mon, 28 Jun 2021 17:35:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzERue08hCkvyux3EJsBeuo4fu9atthdbY3ezdskWY3AJQ6qkdGEg68JPgwrpaPO3yOz2po X-Received: by 2002:a05:6e02:7:: with SMTP id h7mr14667898ilr.288.1624926904784; Mon, 28 Jun 2021 17:35:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624926904; cv=none; d=google.com; s=arc-20160816; b=BoDjsOWpHPVYPqJPwEWe+4etI8rwculFmZsEUeZuhKx3BxOA2VLprhl6lhFYkdA6ah K1aOvMn8ejADzMADhXFCmt97BhUWCg9NKLEEYtuOOkZWoSQRqQ0DbBYRUBzljuFPQSJN R7AIXIZgNOEbwb6Um1MX9OEMwE9u7t+x7ipj1F57wCjFUKcaUS0eQpJMeu8AIaxmPQSu 6GIDQ0iWCzJ4gl/NziHPArn8oZAX8mRVL297B7NUdDeJrubJESEeCAtt8rec9g3RI3Zk WlKZL/AG7dnGhW4bLRQce4dBw0UVZ6P1lbrn4aEhbtDOSBXZarOmPpRyVyC9sT/QePc5 odcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Amd8PSGivbCw1qlikicw4t27JAQ5ZzwLjDdgFyDAvgA=; b=pDBnrF0lm7qlHYVrnzZnWZG5pEVyVcfogy3iWfyROYwYDQBQG4iXjg6YDQ5ndB67Ic HRkbIT8Byq7Cnaysntx6DYXbcDxeLdiov1Ow84ATjs1rn3twOEYGj+0xjRuwpDy0i51F K0lSFiwGh5CkiJzWhD/Ov677xILy5xqSEeGkgHGlKLbZOW7dVKk921ZxYFC5qDqiLpL4 Hm8g7G+Xu9p8UGW9sq+9wMxQU4jSy8JUOpWQIixe8ZvGqsunvpgdew0pZLCabdIpPJL6 aEYApZI7TsmCX7UD8EDirIlg0jBreF4reOrw2YDAGOv9ThBThvXdprwhAf/Un7qEp6sr l3HA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=TyGLQ0gD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u15si1293970ill.15.2021.06.28.17.34.52; Mon, 28 Jun 2021 17:35:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=TyGLQ0gD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237020AbhF1VqA (ORCPT + 99 others); Mon, 28 Jun 2021 17:46:00 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:61452 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S232143AbhF1Vpt (ORCPT ); Mon, 28 Jun 2021 17:45:49 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15SLYNiw022330; Mon, 28 Jun 2021 17:43:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=pp1; bh=Amd8PSGivbCw1qlikicw4t27JAQ5ZzwLjDdgFyDAvgA=; b=TyGLQ0gDnuMW3x82DJgf7VP1AtKMI0gsVYRC7yg/Mky34EwFeXlIXMm158sjG/nePZJM JGuK1O0zHKWesYb9plAs3pmSsWrgJlJG6F5z4nGt/tjfUMjJr0wRd6WkTjcKGu3FDTiG 3852Am8Z9NrFWy/nASGFsLLBVu+KSpjc7eODFqoStDiO1qLSM7+bVJqRgUCGG3HN0hrO cXS0ghhJ9s/ldhqemNhkaAD2OY/w3Jahq/1fgDEFzpo12bayDOcG1jIScwlD6G5sAHE9 LxxGeWmhGXpD5I/w7edi/ytvGQR/XbJAYWBU5WpwtDHHxCBwdEJicUJ4g5jr0g4yCzTz UA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39fd08ht66-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Jun 2021 17:43:15 -0400 Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 15SLZjoo025216; Mon, 28 Jun 2021 17:43:14 -0400 Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0b-001b2d01.pphosted.com with ESMTP id 39fd08ht5u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Jun 2021 17:43:14 -0400 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 15SLcDD7031404; Mon, 28 Jun 2021 21:43:14 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma02dal.us.ibm.com with ESMTP id 39duvbe0bg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Jun 2021 21:43:14 +0000 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 15SLhD8B38863318 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 28 Jun 2021 21:43:13 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4E7A0124054; Mon, 28 Jun 2021 21:43:13 +0000 (GMT) Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 33547124053; Mon, 28 Jun 2021 21:43:13 +0000 (GMT) Received: from localhost.localdomain (unknown [9.47.158.152]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 28 Jun 2021 21:43:13 +0000 (GMT) From: Stefan Berger To: jeyu@kernel.org, keyrings@vger.kernel.org, dhowells@redhat.com, dwmw2@infradead.org, zohar@linux.ibm.com, jarkko@kernel.org Cc: nayna@linux.ibm.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, torvalds@linux-foundation.org, Stefan Berger Subject: [PATCH v7 0/2] Add support for ECDSA-signed kernel modules Date: Mon, 28 Jun 2021 17:43:02 -0400 Message-Id: <20210628214304.4165769-1-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: SULidijcSYsGqoL3jJGOgnVY7QONAe2u X-Proofpoint-ORIG-GUID: S07y7ZN4v3heSAkXtMMS87vdaQtaU4L5 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-06-28_14:2021-06-25,2021-06-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 spamscore=0 priorityscore=1501 mlxscore=0 adultscore=0 suspectscore=0 lowpriorityscore=0 phishscore=0 malwarescore=0 impostorscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106280140 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Stefan Berger This series adds support for ECDSA-signed kernel modules. It also attempts to address a kbuild issue where a developer created an ECDSA key for signing kernel modules and then builds an older version of the kernel, when bisecting the kernel for example, that does not support ECDSA keys. The first patch addresses the kbuild issue of needing to delete that ECDSA key if it is in certs/signing_key.pem and trigger the creation of an RSA key. However, for this to work this patch would have to be backported to previous versions of the kernel but would also only work for the developer if he/she used a stable version of the kernel to which this patch was applied. So whether this patch actually achieves the wanted effect is not always guaranteed. The 2nd patch adds the support for the ECSDA-signed kernel modules. Stefan v7: - Changed Kconfig reference to kernel version from 5.11 to 5.13 - Redirecting stderr of openssl to NULL device to address kernel robot detected issue - Replaced $(CONFIG_MODULE_SIG_KEY) with "certs/signing_key.pem" following Linus's suggestion v6: - Patch 2/4 is fixing V4's 1/2 and 4/4 is fixing V4's 2/2. Both fixup patches to be squashed. v5: - do not touch the key files if openssl is not installed; likely addresses an issue pointed out by kernel test robot v4: - extending 'depends on' with MODULES to (IMA_APPRAISE_MODSIG && MODULES) v3: - added missing OIDs for ECDSA signed hashes to pkcs7_sig_note_pkey_algo - added recommendation to use string hash to Kconfig help text v2: - Adjustment to ECDSA key detector string in 2/2 - Rephrased cover letter and patch descriptions with Mimi Stefan Berger (2): certs: Trigger creation of RSA module signing key if it's not an RSA key certs: Add support for using elliptic curve keys for signing modules certs/Kconfig | 26 ++++++++++++++++++++++++++ certs/Makefile | 21 +++++++++++++++++++++ crypto/asymmetric_keys/pkcs7_parser.c | 8 ++++++++ 3 files changed, 55 insertions(+) -- 2.31.1