On 9/4/23 09:40, Roberto Sassu wrote:
From: Roberto Sassu
Before the security field of kernel objects could be shared among LSMs with
the LSM stacking feature, IMA and EVM had to rely on an alternative storage
of inode metadata. The association between inode metadata and inode is
maintained
On 4/20/21 10:03 AM, Jessica Yu wrote:
+++ Stefan Berger [08/04/21 11:24 -0400]:
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c
b/crypto/asymmetric_keys/pkcs7_parser.c
index 967329e0a07b..2546ec6a0505 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys
On 4/8/21 1:15 PM, Mimi Zohar wrote:
On Thu, 2021-04-08 at 11:24 -0400, Stefan Berger wrote:
Address a kbuild issue where a developer created an ECDSA key for signing
kernel modules and then builds an older version of the kernel, when bi-
secting the kernel for example, that does not support
://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc
Stefan
v2:
- Adjustment to ECDSA key detector string in 2/2
- Rephrased cover letter and patch descriptions with Mimi
Stefan Berger (2):
certs: Trigger creation of RSA module signing key if it's not an RSA
key
: cfc411e7fff3 ("Move certificate handling to its own directory")
Signed-off-by: Stefan Berger
---
certs/Makefile | 5 +
1 file changed, 5 insertions(+)
diff --git a/certs/Makefile b/certs/Makefile
index e3185c57fbd8..f64bc89ccbf1 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -5
/signing_key.*) when building an older
version of a kernel that only supports RSA keys. Unless kbuild automati-
cally detects and generates a new kernel module key, ECDSA-signed kernel
modules will fail signature verification.
Signed-off-by: Stefan Berger
---
v2:
- check for ECDSA key by id
On 4/7/21 12:10 PM, Mimi Zohar wrote:
On Wed, 2021-04-07 at 18:53 +0300, Jarkko Sakkinen wrote:
On Tue, Apr 06, 2021 at 02:53:38PM -0400, Stefan Berger wrote:
This series adds support for ECDSA-signed kernel modules.
The first patch in this series attempts to address the issue where
/signing_key.*) when falling back to
building an older version of a kernel that only supports RSA keys
since otherwise ECDSA-signed modules will not be usable when that
older kernel runs and the ECDSA key was still used for signing modules.
Signed-off-by: Stefan Berger
---
certs/Kconfig
if falling back to
kernels that have actually been patched with this kernel, such as the
stable trees.
Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
Signed-off-by: Stefan Berger
---
certs/Makefile | 5 +
1 file changed, 5 insertions(+)
diff --git a/certs/
here:
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/log/?h=ecc
Stefan
Stefan Berger (2):
certs: Trigger recreation of module signing key if it's not an RSA key
certs: Add support for using elliptic curve keys for signing modules
certs/Kconfig
On 3/30/21 9:16 AM, Nayna Jain wrote:
The kernel currently only loads the kernel module signing key onto the
builtin trusted keyring. Load the module signing key onto the IMA keyring
as well.
Signed-off-by: Nayna Jain
Acked-by: Stefan Berger
---
certs/system_certificates.S | 13
On 3/30/21 9:16 AM, Nayna Jain wrote:
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
Acked-by: Stefan Berger
---
certs/Kconfig | 2
Herbert,
if you could queue patches 1-9 in a topic branch, that would be great!
Regards,
Stefan
On 3/16/21 5:07 PM, Stefan Berger wrote:
This series of patches adds support for x509 certificates signed by a CA
that uses NIST P384, P256 or P192 keys for signing. It also adds support
certs/signing_key.*) when falling
back to building an older version of a kernel that only supports RSA
keys since otherwise ECDSA-signed modules will not be usable when that
older kernel runs and the ECDSA key was still used for signing modules.
Signed-off-by: Stefan Berger
Reviewed-by: Mimi Zohar
- add OID_ansip384r1
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
v10->v11:
- renamed OID_id_secp384r1 to OID_id_ansip384r1 (spec name)
---
crypto/asymmetric_keys/x509_cert_parser.c | 3 +++
include/linux/oid_registry.h | 1 +
2 files changed, 4 insertions(+)
d
* crypto/testmgr.h
- add test vector params for P384(sha1, sha224, sha256, sha384
and sha512)
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
Acked-by: Jarkko Sakkinen
---
crypto/ecdsa.c | 33 +-
crypto/testmgr.c | 6 ++
crypto/testmgr.h | 157
type to be driven by the key's signature scheme rather
than by the hash type.
Cc: Dmitry Kasatkin
Cc: linux-integr...@vger.kernel.org
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
Reviewed-by: Vitaly Chikunov
Reviewed-by: Tianjia Zhang
Acked-by: Mimi Zohar
:
* crypto/ecc.c
- add vli_mmod_fast_384
- change some routines to pass ecc_curve forward until vli_mmod_fast
* crypto/ecc.h
- add ECC_CURVE_NIST_P384_DIGITS
- change ECC_MAX_DIGITS to P384 size
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto/ecc.c | 266
ecc_get_curve to accept nist_p384
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
Acked-by: Jarkko Sakkinen
---
crypto/ecc.c| 2 ++
crypto/ecc_curve_defs.h | 32
include/crypto/ecdh.h | 1 +
3 files changed, 35 insertions(+)
diff --git
verification
is implemented.
Cc: Herbert Xu
Cc: "David S. Miller"
Cc: linux-cry...@vger.kernel.org
Signed-off-by: Stefan Berger
---
v10->v11:
- Split off OID definitions for ECDSA with sha224/256/384/512
- Addressed Jarkko's comments
v8->v9:
- unregister nist_p192 curve if
Detect whether a key is an sm2 type of key by its OID in the parameters
array rather than assuming that everything under OID_id_ecPublicKey
is sm2, which is not the case.
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
Reviewed-by: Tianjia Zhang
Tested-by: Tianjia
sting is now 1st patch
Saulo Alessandre (4):
crypto: Add NIST P384 curve parameters
crypto: Add math to support fast NIST P384
ecdsa: Register NIST P384 and extend test suite
x509: Add OID for NIST P384 and extend parser for it
Stefan Berger (6):
oid_registry: Add OIDs for ECDSA with
Add OIDs for ECDSA with SHA224/256/384/512.
Signed-off-by: Stefan Berger
Acked-by: Jarkko Sakkinen
---
include/linux/oid_registry.h | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index 4462ed2c18cd
Add support for parsing of x509 certificates that contain ECDSA keys,
such as NIST P256, that have been signed by a CA using any of the
current SHA hash algorithms.
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
---
v7->v8:
- do not detect key algo us
On 3/10/21 6:24 PM, Jarkko Sakkinen wrote:
On Thu, Mar 11, 2021 at 01:21:47AM +0200, Jarkko Sakkinen wrote:
On Wed, Mar 10, 2021 at 05:19:14PM -0500, Stefan Berger wrote:
When tpm_read_log_efi is called multiple times, which happens when
one loads and unloads a TPM2 driver multiple times
:35:12 hibinst kernel: worker_thread+0x53/0x3e0
Mar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370
Signed-off-by: Stefan Berger
---
drivers/char/tpm/eventlog/efi.c | 29 +
1 file changed, 21 insertions(+), 8 deletions(-)
diff --git a/drivers/char/tpm
pport for event log pointer found in TPM2 ACPI
table")
Signed-off-by: Stefan Berger
---
drivers/char/tpm/eventlog/acpi.c | 33 +++-
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/ac
river for supporting multiple emulated TPMs")
Signed-off-by: Stefan Berger
---
drivers/char/tpm/eventlog/common.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/char/tpm/eventlog/common.c
b/drivers/char/tpm/eventlog/common.c
index 7460f230bae4..8512ec76d526 100644
--- a/drivers/char/tp
sed patches 1 & 2
Stefan Berger (3):
tpm: efi: Use local variable for calculating final log size
tpm: acpi: Check eventlog signature before using it
tpm: vtpm_proxy: Avoid reading host log when using a virtual device
drivers/char/tpm/eventlog/acpi.c | 33 +-
On 3/10/21 10:35 AM, Jarkko Sakkinen wrote:
On Fri, Mar 05, 2021 at 03:59:47PM -0500, Stefan Berger wrote:
From: Stefan Berger
Add OIDs for ECDSA with sha224/256/384/512.
Nit: SHA224/256/384/512 (sorry cannot help myself with these, have been
doing this way too much, consider me as a bot
pport for event log pointer found in TPM2 ACPI
table")
Signed-off-by: Stefan Berger
---
drivers/char/tpm/eventlog/acpi.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/ac
river for supporting multiple emulated TPMs")
Signed-off-by: Stefan Berger
---
drivers/char/tpm/eventlog/common.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/char/tpm/eventlog/common.c
b/drivers/char/tpm/eventlog/common.c
index 7460f230bae4..8512ec76d526 100644
--- a/drivers/char/tp
/0x370
Mar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0
Mar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370
Signed-off-by: Stefan Berger
---
drivers/char/tpm/eventlog/efi.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/char/tpm/eventlog
This series of patches fixes a couple of issues related to TPM2
event logs, such as the disappearance of the TPM2 log on QEMU machines
running with UEFI (my fault) and a kernel fault due to an integer under-
flow when reading the TPM 2 log multiple times.
Regards,
Stefan
Stefan Berger (3
On 3/5/21 3:59 PM, Stefan Berger wrote:
diff --git a/crypto/Kconfig b/crypto/Kconfig
index a367fcfeb5d4..a31df40591f5 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -247,6 +247,16 @@ config CRYPTO_ECDH
help
Generic implementation of the ECDH algorithm
@@ -70,6 +72,30
On 3/6/21 7:03 PM, Vitaly Chikunov wrote:
Stefan,
On Sat, Mar 06, 2021 at 06:29:18PM -0500, Stefan Berger wrote:
On 3/6/21 2:25 PM, Vitaly Chikunov wrote:
On Thu, Mar 04, 2021 at 07:51:57PM -0500, Stefan Berger wrote:
From: Saulo Alessandre
* crypto/ecc.c
- add vli_mmod_fast_384
On 3/6/21 2:25 PM, Vitaly Chikunov wrote:
Stefan,
On Thu, Mar 04, 2021 at 07:51:57PM -0500, Stefan Berger wrote:
From: Saulo Alessandre
* crypto/ecc.c
- add vli_mmod_fast_384
- change some routines to pass ecc_curve forward until vli_mmod_fast
* crypto/ecc.h
- add
On 3/5/21 2:46 PM, Vitaly Chikunov wrote:
Jarkko,
On Fri, Mar 05, 2021 at 07:05:39PM +0200, Jarkko Sakkinen wrote:
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2021 IBM Corporation
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are
- add OID_ansip384r1
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
v10->v11:
- renamed OID_id_secp384r1 to OID_id_ansip384r1 (spec name)
---
crypto/asymmetric_keys/x509_cert_parser.c | 3 +++
include/linux/oid_registry.h | 1 +
2 files changed, 4 insertions(+)
d
From: Stefan Berger
Add OIDs for ECDSA with sha224/256/384/512.
Signed-off-by: Stefan Berger
---
include/linux/oid_registry.h | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index 4462ed2c18cd..b504e2f36b25
From: Stefan Berger
Add support for using elliptic curve keys for signing modules. It uses
a NIST P384 (secp384r1) key if the user chooses an elliptic curve key
and will have ECDSA support built into the kernel.
Note: A developer choosing an ECDSA key for signing modules has to
manually delete
From: Stefan Berger
Add support for IMA signature verification for EC keys. Since SHA type
of hashes can be used by RSA and ECDSA signature schemes we need to
look at the key and derive from the key which signature scheme to use.
Since this can be applied to all types of keys, we change
From: Stefan Berger
Detect whether a key is an sm2 type of key by its OID in the parameters
array rather than assuming that everything under OID_id_ecPublicKey
is sm2, which is not the case.
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
Reviewed-by: Tianjia Zhang
ecc_get_curve to accept nist_p384
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto/ecc.c| 2 ++
crypto/ecc_curve_defs.h | 32
include/crypto/ecdh.h | 1 +
3 files changed, 35 insertions(+)
diff --git a/crypto/ecc.c b/crypto
* crypto/testmgr.h
- add test vector params for P384(sha1, sha224, sha256, sha384
and sha512)
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto/ecdsa.c | 33 +-
crypto/testmgr.c | 6 ++
crypto/testmgr.h | 157 +++
3
:
* crypto/ecc.c
- add vli_mmod_fast_384
- change some routines to pass ecc_curve forward until vli_mmod_fast
* crypto/ecc.h
- add ECC_CURVE_NIST_P384_DIGITS
- change ECC_MAX_DIGITS to P384 size
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto/ecc.c | 266
From: Stefan Berger
Add support for parsing of x509 certificates that contain ECDSA keys,
such as NIST P256, that have been signed by a CA using any of the
current SHA hash algorithms.
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
---
v7->v8:
- do not det
From: Stefan Berger
This series of patches adds support for x509 certificates signed by a CA
that uses NIST P384, P256 or P192 keys for signing. It also adds support for
certificates where the public key is one of this type of a key. The math
for ECDSA signature verification is also added
From: Stefan Berger
Add support for parsing the parameters of a NIST P256 or NIST P192 key.
Enable signature verification using these keys. The new module is
enabled with CONFIG_ECDSA:
Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.)
is A NIST cryptographic standard
On 3/5/21 12:10 PM, Jarkko Sakkinen wrote:
On Thu, Mar 04, 2021 at 07:51:58PM -0500, Stefan Berger wrote:
From: Saulo Alessandre
* crypto/ecdsa.c
- add ecdsa_nist_p384_init_tfm
- register and unregister P384 tfm
* crypto/testmgr.c
- add test vector for P384 on vector of tests
On 3/5/21 12:16 PM, Jarkko Sakkinen wrote:
On Thu, Mar 04, 2021 at 07:51:59PM -0500, Stefan Berger wrote:
From: Stefan Berger
Detect whether a key is an sm2 type of key by its OID in the parameters
array rather than assuming that everything under OID_id_ecPublicKey
is sm2, which
On 3/5/21 2:37 AM, Tianjia Zhang wrote:
Hi,
On 3/4/21 7:46 AM, Stefan Berger wrote:
Tianjia,
can you say whether SM2 support works for you before and after
applying this patch? I cannot verify it with an sm2 key I have
created using a sequence of commands like this:
> modpr
Herbert,
you can take patches 1-8. 9 will not apply without Nayna's series as
mentioned in the patch.
Regards,
Stefan
On 3/4/21 7:51 PM, Stefan Berger wrote:
From: Stefan Berger
This series of patches adds support for x509 certificates signed by a CA
that uses NIST P384, P256
-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto/ecdsa.c | 33 +-
crypto/testmgr.c | 6 ++
crypto/testmgr.h | 157 +++
3 files changed, 195 insertions(+), 1 deletion(-)
diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
index 04fbb3d2abc5
From: Saulo Alessandre
* crypto/asymmetric_keys/x509_cert_parser.c
- prepare x509 parser to load nist_secp384r1
* include/linux/oid_registry.h
- add OID_id_secp384r1
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto/asymmetric_keys/x509_cert_parser.c | 3 +++
include
From: Saulo Alessandre
* crypto/ecc.c
- add vli_mmod_fast_384
- change some routines to pass ecc_curve forward until vli_mmod_fast
* crypto/ecc.h
- add ECC_CURVE_NIST_P384_DIGITS
- change ECC_MAX_DIGITS to P384 size
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto
From: Saulo Alessandre
* crypto/ecc_curve_defs.h
- add nist_p384 params
* include/crypto/ecdh.h
- add ECC_CURVE_NIST_P384
* crypto/ecc.c
- change ecc_get_curve to accept nist_p384
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto/ecc.c| 2 ++
crypto
From: Stefan Berger
Add support for IMA signature verification for EC keys. Since SHA type
of hashes can be used by RSA and ECDSA signature schemes we need to
look at the key and derive from the key which signature scheme to use.
Since this can be applied to all types of keys, we change
From: Stefan Berger
This patch adds support for using elliptic curve keys for signing
modules. It uses a NIST P384 (secp384r1) key if the user chooses an
elliptic curve key and will have ECDSA support built into the kernel.
Note: A developer choosing an ECDSA key for signing modules has
From: Stefan Berger
Add support for parsing the parameters of a NIST P256 or NIST P192 key.
Enable signature verification using these keys. The new module is
enabled with CONFIG_ECDSA:
Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.)
is A NIST cryptographic standard
From: Stefan Berger
This series of patches adds support for x509 certificates signed by a CA
that uses NIST P384, P256 or P192 keys for signing. It also adds support for
certificates where the public key is one of this type of a key. The math
for ECDSA signature verification is also added
From: Stefan Berger
Detect whether a key is an sm2 type of key by its OID in the parameters
array rather than assuming that everything under OID_id_ecPublicKey
is sm2, which is not the case.
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
Reviewed-by: Tianjia Zhang
From: Stefan Berger
This patch adds support for parsing of x509 certificates that contain
ECDSA keys, such as NIST P256, that have been signed by a CA using any
of the current SHA hash algorithms.
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
---
v7->v8:
-
On 3/4/21 12:28 AM, Herbert Xu wrote:
On Thu, Feb 25, 2021 at 11:07:59AM -0500, Stefan Berger wrote:
From: Saulo Alessandre
* crypto/ecc_curve_defs.h
- add nist_p384 params
* include/crypto/ecdh.h
- add ECC_CURVE_NIST_P384
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
=
Regards,
Stefan
On 2/25/21 11:07 AM, Stefan Berger wrote:
From: Stefan Berger
Detect whether a key is an sm2 type of key by its OID in the parameters
array rather than assuming that everything under OID_id_ecPublicKey
is sm2, which is not the case.
Cc: David Howells
Cc: keyri...@vger.kerne
On 2/26/21 10:35 PM, yumeng wrote:
在 2021/2/26 0:08, Stefan Berger 写道:
From: Stefan Berger
diff --git a/certs/Makefile b/certs/Makefile
index 3fe6b73786fa..c487d7021c54 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -69,6 +69,18 @@ else
SIGNER = -signkey $(obj)/signing_key.key
Alessandre
Tested-by: Stefan Berger
---
crypto/ecc.c | 268 +--
crypto/ecc.h | 3 +-
2 files changed, 196 insertions(+), 75 deletions(-)
diff --git a/crypto/ecc.c b/crypto/ecc.c
index 25e79fd70566..c125576cda6b 100644
--- a/crypto/ecc.c
+++ b/crypto
From: Stefan Berger
Add support for parsing the parameters of a NIST P256 or NIST P192 key.
Enable signature verification using these keys. The new module is
enabled with CONFIG_ECDSA:
Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.)
is A NIST cryptographic standard
-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto/ecdsa.c | 33 +-
crypto/testmgr.c | 6 ++
crypto/testmgr.h | 157 +++
3 files changed, 195 insertions(+), 1 deletion(-)
diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
index 04fbb3d2abc5
From: Saulo Alessandre
* crypto/asymmetric_keys/x509_cert_parser.c
- prepare x509 parser to load nist_secp384r1
* include/linux/oid_registry.h
- add OID_id_secp384r1
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto/asymmetric_keys/x509_cert_parser.c | 3 +++
include
From: Saulo Alessandre
* crypto/ecc_curve_defs.h
- add nist_p384 params
* include/crypto/ecdh.h
- add ECC_CURVE_NIST_P384
Signed-off-by: Saulo Alessandre
Tested-by: Stefan Berger
---
crypto/ecc_curve_defs.h | 32
include/crypto/ecdh.h | 1 +
2 files
From: Stefan Berger
Add support for IMA signature verification for EC keys. Since SHA type
of hashes can be used by RSA and ECDSA signature schemes we need to
look at the key and derive from the key which signature scheme to use.
Since this can be applied to all types of keys, we change
From: Stefan Berger
This patch adds support for using elliptic curve keys for signing
modules. It uses a NIST P384 (secp384r1) key if the user chooses an
elliptic curve key and will have ECDSA support built into the kernel.
Note: A developer choosing an ECDSA key for signing modules has
From: Stefan Berger
This patch adds support for parsing of x509 certificates that contain
ECDSA keys, such as NIST P256, that have been signed by a CA using any
of the current SHA hash algorithms.
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
---
v7->v8:
-
From: Stefan Berger
Detect whether a key is an sm2 type of key by its OID in the parameters
array rather than assuming that everything under OID_id_ecPublicKey
is sm2, which is not the case.
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
Reviewed-by: Tianjia Zhang
From: Stefan Berger
This series of patches adds support for x509 certificates signed by a CA
that uses NIST P384, P256 or P192 keys for signing. It also adds support for
certificates where the public key is one of this type of a key. The math
for ECDSA signature verification is also added
patches over the weekend with my endless test tool
creating keys in user space and loading them into the kernel. It worked
fine for NIST p256 & p384. Also signing kernel modules with NIST p384 is
working fine.
So, for the series:
Tested-by: Stefan Berger
Regards,
Stefan
On 2/19/21 11:52 AM, Mimi Zohar wrote:
On Fri, 2021-02-19 at 10:41 -0500, Stefan Berger wrote:
From: Stefan Berger
This patch adds support for using elliptic curve keys for signing
modules. It uses a NIST P256 (prime256v1) key if the user chooses an
elliptic curve key.
A developer choosing
On 2/19/21 1:57 PM, Saulo Alessandre wrote:
From: Saulo Alessandre
* crypto/asymmetric_keys/x509_cert_parser.c
- prepare x509 parser to load nist_secpp384r1
* crypto/ecc_curve_defs.h
- add nist_p384 params
* include/crypto/ecdh.h
- add ECC_CURVE_NIST_P384
*
On 2/19/21 1:57 PM, Saulo Alessandre wrote:
From: Saulo Alessandre
* crypto/ecc.c
- change ecc_get_curve to accept nist_p384
- add vli_mmod_fast_384
- change some routines to pass ecc_curve forward until vli_mmod_fast
* crypto/ecc.h
- add ECC_CURVE_NIST_P384_DIGITS
- change
On 2/19/21 1:57 PM, Saulo Alessandre wrote:
From: Saulo Alessandre
* crypto/ecdsa.c
- add ecdsa_nist_p384_init_tfm
- register and unregister p384 tfm
* crypto/testmgr.c
- add test vector for p384 on vector of tests
* crypto/testmgr.h
- add test vector params for p384(sha1,
From: Stefan Berger
This patch adds support for using elliptic curve keys for signing
modules. It uses a NIST P256 (prime256v1) key if the user chooses an
elliptic curve key.
A developer choosing an ECDSA key for signing modules has to manually
delete the signing key (rm certs/signing_key
On 2/18/21 5:00 PM, Nayna Jain wrote:
Certificates being loaded onto the IMA trusted keyring must be signed by
a key on either the builtin or secondary trusted keyring. Create and
include in the kernel image an ephemeral CA key at build time when
IMA_APPRAISE_MODSIG is enabled.
Reported-by:
On 2/18/21 5:00 PM, Nayna Jain wrote:
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
Reviewed-by: Stefan Berger
-signed module signing key using CSR.
Signed-off-by: Nayna Jain
Tested this also as part of a patch I am going to post.
Reviewed-by: Stefan Berger
---
Makefile | 3 ++-
certs/Makefile | 15 +++
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/Makefile b
single PEM file for autogenerated key")
Signed-off-by: Nayna Jain
The actual move of the certs files happened in cfc411e7fff3e15. That may
be the better commit to mention.
Otherwise:
Reviewed-by: Stefan Berger
---
Makefile | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a
; and loads the CA kernel
key onto the builtin trusted keyring.
Signed-off-by: Nayna Jain
Reviewed-by: Stefan Berger
pose spaces via a device link /dev/tpmrm")
Fixes: 8979b02aaf1d ("tpm: Fix reference count to main device")
Co-developed-by: Jason Gunthorpe
Signed-off-by: Jason Gunthorpe
Signed-off-by: Lino Sanfilippo
Tested-by: Stefan Berger
you'll post another version, but anyway:
Tested-by: Stefan Berger
type to be driven by the key's signature scheme rather
than by the hash type.
Cc: Dmitry Kasatkin
Cc: linux-integr...@vger.kernel.org
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
Reviewed-by: Vitaly Chikunov
Reviewed-by: Tianjia Zhang
Acked-by: Mimi Zohar
verification
is implemented.
Cc: Herbert Xu
Cc: "David S. Miller"
Cc: linux-cry...@vger.kernel.org
Signed-off-by: Stefan Berger
Acked-by: Jarkko Sakkinen
---
crypto/Kconfig | 10 +
crypto/Makefile | 6 +
crypto/ecc.c | 13 +-
cr
Detect whether a key is an sm2 type of key by its OID in the parameters
array rather than assuming that everything under OID_id_ecPublicKey
is sm2, which is not the case.
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
Reviewed-by: Tianjia Zhang
---
crypto
This patch adds support for parsing of x509 certificates that contain
ECDSA keys, such as NIST P256, that have been signed by a CA using any
of the current SHA hash algorithms.
Cc: David Howells
Cc: keyri...@vger.kernel.org
Signed-off-by: Stefan Berger
---
v7->v8:
- do not detect key a
ey
v2->v3:
- patch 2 now includes linux/scatterlist.h
v1->v2:
- using faster vli_sub rather than newly added vli_mod_fast to 'reduce'
result
- rearranged switch statements to follow after RSA
- 3rd patch from 1st posting is now 1st patch
Stefan Berger (4):
crypto: Add support for
On 2/12/21 4:05 AM, Jarkko Sakkinen wrote:
On Tue, Feb 09, 2021 at 05:13:39PM -0500, Stefan Berger wrote:
When IMA is taking measurements during compilation for example and a
user presses ctrl-c to abort the compilation, lots of these types of
messages will appear in the kernel log
On 2/11/21 2:54 PM, Nayna Jain wrote:
The kernel currently only loads the kernel module signing key onto
the builtin trusted keyring. To support IMA, load the module signing
key selectively either onto builtin or ima keyring based on MODULE_SIG
or MODULE_APPRAISE_MODSIG config respectively; and
On 2/11/21 2:54 PM, Nayna Jain wrote:
Certificates being loaded onto the IMA trusted keyring must be signed by
a key on either the builtin and secondary trusted keyring.
This patch creates and includes in the kernel image an ephemeral CA
key, at build time when IMA_APPRAISE_MODSIG is enabled.
On 2/11/21 2:54 PM, Nayna Jain wrote:
Loading a key on the IMA trusted keyring requires the key be signed
by an existing key on the builtin or secondary trusted keyring.
Creating a Certificate Signing Request (CSR) allows the certificate
to be self-signed or signed by a CA.
This patch generates
On 2/11/21 2:54 PM, Nayna Jain wrote:
The "mrproper" target is still looking for build time generated keys
in the old path instead of certs/ directory.
This patch fixes the path as well removes the names of the files which
are no longer generated.
Signed-off-by: Nayna Jain
Fixes: 28a68f828266
On 2/11/21 12:30 PM, Stefan Berger wrote:
On 2/11/21 3:03 AM, kernel test robot wrote:
Hi Stefan,
Thank you for the patch! Yet something to improve:
crypto/asymmetric_keys/public_key.c:97: undefined reference to
`parse_OID'
So the issue is that only ASYMMETRIC_PUBLIC_KEY_SUBTYPE
1 - 100 of 963 matches
Mail list logo