Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1517436rwb; Tue, 27 Sep 2022 14:28:50 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4ZTlbfgk9XA/PItTkw9Ioh40YgfvbcjEqPkJnJKeKfe8XJXp62JGgZPlfGSMicE5vmFJG3 X-Received: by 2002:a17:903:2641:b0:176:8421:8d22 with SMTP id je1-20020a170903264100b0017684218d22mr29304246plb.97.1664314130428; Tue, 27 Sep 2022 14:28:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664314130; cv=none; d=google.com; s=arc-20160816; b=ta+7UgqjnFFumUrqwmEXBmzx2d04a2xcjPN/uyzt4wBnUr21YUoqhAbREyAzDVLU/v 4G+valLzGadmLCgsGImOPjkOeL8AnwNcO0wBhGTqisJ+0HzJ912MPb1xt3ZUoRTtf3on OLX3oKdK7p9JTv+9tlsnyGgrzXj/1KAES3rykmYKfDljISfbKpjCfa+/tGzeYq6+H/X0 j5pAcFXMWBs3ZFHxAHLFYoYWC6cns0fH0J88UMHc5SbiGPIJaKqBxOxxtPLHDtlbhv8Y CAyi2DXU26GsjVZN3ToBS9qf+YPT8uVsJQdusYCoNMNZpA9Ydn5V8Hw+8bUP0CQCLpe5 q4vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=OmYNRzFMKJg0OyAuB77/XhpBp7MwX4VcB6Kd+dpdO80=; b=vSxDgSjnIvZqQD1Fgd0+nzdA8ONUVjOq8VZ/ERZz9jabVNEWffsGvgXiu+fanAHMod B+rNGOeX40sF79Cv3IQ1XlwZr/3m5/l0Q7y8IP+fk+TvsLm5K08ZvwE3SCzV9CH8TtVG Lcvl6e7BHSffNm8bggUYJB2PWDBpprxC9Lj/Y/I44GxFFRhWeyimcge6Qg71u1YV91Q2 VYUFvrupNT9087dxDRRQj6LvZvmyQiFmwvFD93zEXgUIMX4G2B+8nMQBW3HHowNziWw1 Htnmb+wrFOmvxIT5A5mSugcmK4YOdje8xg6px1jKr8sVmOQHyrrrHVnEvZ+aKn1RPdg0 PS0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b="r/Mgw0A7"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n2-20020a6546c2000000b0043a20d557a9si3144996pgr.229.2022.09.27.14.28.29; Tue, 27 Sep 2022 14:28:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b="r/Mgw0A7"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231958AbiI0VSc (ORCPT + 99 others); Tue, 27 Sep 2022 17:18:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230443AbiI0VSa (ORCPT ); Tue, 27 Sep 2022 17:18:30 -0400 Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C74F1E45AE for ; Tue, 27 Sep 2022 14:18:27 -0700 (PDT) Received: by mail-lj1-x22f.google.com with SMTP id p5so12280596ljc.13 for ; Tue, 27 Sep 2022 14:18:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=OmYNRzFMKJg0OyAuB77/XhpBp7MwX4VcB6Kd+dpdO80=; b=r/Mgw0A7OEw2ux8sKiYHHQX7y4wneOmkxesB+/JrmX2qUr8uUbmtoklbhn1owvSkv+ 2DXf7JtXwyU8AQhGpBIKzxyy+vRT+j+W1BbxhJJUbe38QwXAA0Kg6d6yYcm5Zl8Ve8oh g1kWtNyo1FIkaqVc6DLa+BGXl2mamOwnNN+NA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=OmYNRzFMKJg0OyAuB77/XhpBp7MwX4VcB6Kd+dpdO80=; b=Fq2kVyN8yQPjr6o6ufaqRXeTn4eJFbxxXDaxcbdpM44TMZ5Z/ZTfoYaVxEaARP3DOQ SiTC9EEDoWl8HBFASJpMUFPRY/5YcKm6eX29G6L3iYnvpC4YqlBBweJszfBNTFV1UPkV UvDsPFGqaevysgRQFvbrsxQdCHNIQ0EB80VznWvySOc7VYj8e6jt1fKMejBUc5tf/eZQ MqjR604kl5c1asTlIT2yO5VudohfpnFk8pbiTkEZPe1Ivzpw0VxWuZ1+Aeri8Q0n+WZ3 qRKVl+I/6NrksxKyALgJGjLULMaBCBJ3tiz7+beIcDqz2VF7pjKzMIZp8m7tyw4v/XPh kXdw== X-Gm-Message-State: ACrzQf1MBln8Aye2HA9V9/mFmFWB9XqaU+8TH4jeyTJ4VTbPuS1zZirw gAWcZ0Oko/gcTtKJy2dnbCj1hVRfgheGpFMRldQaXQ== X-Received: by 2002:a2e:be24:0:b0:26d:9942:dfe with SMTP id z36-20020a2ebe24000000b0026d99420dfemr4405229ljq.16.1664313505235; Tue, 27 Sep 2022 14:18:25 -0700 (PDT) MIME-Version: 1.0 References: <20220908200036.2034-1-ignat@cloudflare.com> In-Reply-To: From: Ignat Korchagin Date: Tue, 27 Sep 2022 22:18:14 +0100 Message-ID: Subject: Re: [PATCH 0/4] crypto: add ECDSA signature support to key retention service To: Herbert Xu Cc: David Howells , "David S . Miller" , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, lei he , kernel-team@cloudflare.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Sat, Sep 24, 2022 at 8:24 AM Herbert Xu wrote: > > On Thu, Sep 08, 2022 at 09:00:32PM +0100, Ignat Korchagin wrote: > > Kernel Key Retention Service[1] is a useful building block to build secure > > production key management systems. One of its interesting features is > > support for asymmetric keys: we can allow a process to use a certain key > > (decrypt or sign data) without actually allowing the process to read the > > cryptographic key material. By doing so we protect our code from certain > > type of attacks, where a process memory memory leak actually leaks a > > potentially highly sensitive cryptographic material. > > > > But unfortunately only RSA algorithm was supported until now, because > > in-kernel ECDSA implementation supported signature verifications only. > > > > This patchset implements in-kernel ECDSA signature generation and adds > > support for ECDSA signing in the key retention service. The key retention > > service support was taken out of a previous unmerged patchset from Lei He[2] > > > > [1]: https://www.kernel.org/doc/html/latest/security/keys/core.html > > [2]: https://patchwork.kernel.org/project/linux-crypto/list/?series=653034&state=* > > > > Ignat Korchagin (2): > > crypto: add ECDSA signature generation support > > crypto: add ECDSA test vectors from RFC 6979 > > > > lei he (2): > > crypto: pkcs8 parser support ECDSA private keys > > crypto: remove unused field in pkcs8_parse_context > > > > crypto/Kconfig | 3 +- > > crypto/Makefile | 4 +- > > crypto/asymmetric_keys/pkcs8.asn1 | 2 +- > > crypto/asymmetric_keys/pkcs8_parser.c | 46 +++- > > crypto/ecc.c | 9 +- > > crypto/ecdsa.c | 373 +++++++++++++++++++++++++- > > crypto/ecprivkey.asn1 | 6 + > > crypto/testmgr.c | 18 ++ > > crypto/testmgr.h | 333 +++++++++++++++++++++++ > > include/crypto/internal/ecc.h | 11 + > > 10 files changed, 788 insertions(+), 17 deletions(-) > > create mode 100644 crypto/ecprivkey.asn1 > > > > -- > > 2.36.1 > > I need acks for patches 3-4 from David. Thanks! Should I resend patches 1-2 here and maybe 3-4 to the linux-keyrings mailing list? > Email: Herbert Xu > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt Ignat