certs: Add support for using elliptic curve keys for signing modules

Add support for using elliptic curve keys for signing modules. It uses a NIST P384 (secp384r1) key if the user chooses an elliptic curve key and will have ECDSA support built into the kernel. Note: A developer choosing an ECDSA key for signing modules should still delete the signing key (rm certs/signing_key.*) when building an older version of a kernel that only supports RSA keys. Unless kbuild automati- cally detects and generates a new kernel module key, ECDSA-signed kernel modules will fail signature verification. Cc: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
author: Stefan Berger <stefanb@linux.ibm.com> 2021-06-29 17:34:21 -0400
committer: Jarkko Sakkinen <jarkko@kernel.org> 2021-08-23 19:55:42 +0300
commit: a4aed36ed5924a05ecfadc470584188bfba2b928 (patch)
tree: fa716ef69d3f3ff29aeae2019b6c74164eac5557 /certs/Makefile
parent: ea35e0d5df6c92fa2e124bb1b91d09b2240715ba (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/certs/Makefile b/certs/Makefile
index f9344e52ecda..279433783b10 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -66,9 +66,21 @@ ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
 
 ifeq ($(openssl_available),yes)
 X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null)
+endif
 
+# Support user changing key type
+ifdef CONFIG_MODULE_SIG_KEY_TYPE_ECDSA
+keytype_openssl = -newkey ec -pkeyopt ec_paramgen_curve:secp384r1
+ifeq ($(openssl_available),yes)
+$(if $(findstring id-ecPublicKey,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
+endif
+endif # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA
+
+ifdef CONFIG_MODULE_SIG_KEY_TYPE_RSA
+ifeq ($(openssl_available),yes)
 $(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
 endif
+endif # CONFIG_MODULE_SIG_KEY_TYPE_RSA
 
 $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "###"
@@ -83,6 +95,7 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
 		-batch -x509 -config $(obj)/x509.genkey \
 		-outform PEM -out $(obj)/signing_key.pem \
 		-keyout $(obj)/signing_key.pem \
+		$(keytype_openssl) \
 		$($(quiet)redirect_openssl)
 	@$(kecho) "###"
 	@$(kecho) "### Key pair generated."
author	Stefan Berger <stefanb@linux.ibm.com>	2021-06-29 17:34:21 -0400
committer	Jarkko Sakkinen <jarkko@kernel.org>	2021-08-23 19:55:42 +0300
commit	a4aed36ed5924a05ecfadc470584188bfba2b928 (patch)
tree	fa716ef69d3f3ff29aeae2019b6c74164eac5557 /certs/Makefile
parent	ea35e0d5df6c92fa2e124bb1b91d09b2240715ba (diff)