[PATCH] certs: Add support for using elliptic curve keys for signing modules

Mimi Zohar zohar at linux.ibm.com
Fri Feb 19 16:52:30 UTC 2021


On Fri, 2021-02-19 at 10:41 -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb at linux.ibm.com>
> 
> This patch adds support for using elliptic curve keys for signing
> modules. It uses a NIST P256 (prime256v1) key if the user chooses an
> elliptic curve key.
> 
> A developer choosing an ECDSA key for signing modules has to manually
> delete the signing key (rm certs/signing_key.*) when falling back to
> an older version of a kernel that only supports RSA key since otherwise
> ECDSA-signed modules will not be usable when that older kernel runs.
> 
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>

Thanks, Stefan!

Tested with this patch applied on top of "[PATCH v8 0/4] Add support
for x509 certs with NIST p256 and p192" and "[PATCH v2 0/5] ima: kernel
build support for loading the kernel module" patch sets.

Tested-by: Mimi Zohar <zohar at linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>



More information about the Linux-security-module-archive mailing list