crypto/Kconfig | 3 +- crypto/Makefile | 4 +- crypto/asymmetric_keys/pkcs8.asn1 | 2 +- crypto/asymmetric_keys/pkcs8_parser.c | 46 +++- crypto/ecc.c | 9 +- crypto/ecdsa.c | 373 +++++++++++++++++++++++++- crypto/ecprivkey.asn1 | 6 + crypto/testmgr.c | 18 ++ crypto/testmgr.h | 333 +++++++++++++++++++++++ include/crypto/internal/ecc.h | 11 + 10 files changed, 788 insertions(+), 17 deletions(-) create mode 100644 crypto/ecprivkey.asn1
Kernel Key Retention Service[1] is a useful building block to build secure production key management systems. One of its interesting features is support for asymmetric keys: we can allow a process to use a certain key (decrypt or sign data) without actually allowing the process to read the cryptographic key material. By doing so we protect our code from certain type of attacks, where a process memory memory leak actually leaks a potentially highly sensitive cryptographic material. But unfortunately only RSA algorithm was supported until now, because in-kernel ECDSA implementation supported signature verifications only. This patchset implements in-kernel ECDSA signature generation and adds support for ECDSA signing in the key retention service. The key retention service support was taken out of a previous unmerged patchset from Lei He[2] [1]: https://www.kernel.org/doc/html/latest/security/keys/core.html [2]: https://patchwork.kernel.org/project/linux-crypto/list/?series=653034&state=* Ignat Korchagin (2): crypto: add ECDSA signature generation support crypto: add ECDSA test vectors from RFC 6979 lei he (2): crypto: pkcs8 parser support ECDSA private keys crypto: remove unused field in pkcs8_parse_context crypto/Kconfig | 3 +- crypto/Makefile | 4 +- crypto/asymmetric_keys/pkcs8.asn1 | 2 +- crypto/asymmetric_keys/pkcs8_parser.c | 46 +++- crypto/ecc.c | 9 +- crypto/ecdsa.c | 373 +++++++++++++++++++++++++- crypto/ecprivkey.asn1 | 6 + crypto/testmgr.c | 18 ++ crypto/testmgr.h | 333 +++++++++++++++++++++++ include/crypto/internal/ecc.h | 11 + 10 files changed, 788 insertions(+), 17 deletions(-) create mode 100644 crypto/ecprivkey.asn1 -- 2.36.1
On Thu, Sep 08, 2022 at 09:00:32PM +0100, Ignat Korchagin wrote: > Kernel Key Retention Service[1] is a useful building block to build secure > production key management systems. One of its interesting features is > support for asymmetric keys: we can allow a process to use a certain key > (decrypt or sign data) without actually allowing the process to read the > cryptographic key material. By doing so we protect our code from certain > type of attacks, where a process memory memory leak actually leaks a > potentially highly sensitive cryptographic material. > > But unfortunately only RSA algorithm was supported until now, because > in-kernel ECDSA implementation supported signature verifications only. > > This patchset implements in-kernel ECDSA signature generation and adds > support for ECDSA signing in the key retention service. The key retention > service support was taken out of a previous unmerged patchset from Lei He[2] > > [1]: https://www.kernel.org/doc/html/latest/security/keys/core.html > [2]: https://patchwork.kernel.org/project/linux-crypto/list/?series=653034&state=* > > Ignat Korchagin (2): > crypto: add ECDSA signature generation support > crypto: add ECDSA test vectors from RFC 6979 > > lei he (2): > crypto: pkcs8 parser support ECDSA private keys > crypto: remove unused field in pkcs8_parse_context > > crypto/Kconfig | 3 +- > crypto/Makefile | 4 +- > crypto/asymmetric_keys/pkcs8.asn1 | 2 +- > crypto/asymmetric_keys/pkcs8_parser.c | 46 +++- > crypto/ecc.c | 9 +- > crypto/ecdsa.c | 373 +++++++++++++++++++++++++- > crypto/ecprivkey.asn1 | 6 + > crypto/testmgr.c | 18 ++ > crypto/testmgr.h | 333 +++++++++++++++++++++++ > include/crypto/internal/ecc.h | 11 + > 10 files changed, 788 insertions(+), 17 deletions(-) > create mode 100644 crypto/ecprivkey.asn1 > > -- > 2.36.1 I need acks for patches 3-4 from David. Thanks! -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Sat, Sep 24, 2022 at 8:24 AM Herbert Xu <herbert@gondor.apana.org.au> wrote: > > On Thu, Sep 08, 2022 at 09:00:32PM +0100, Ignat Korchagin wrote: > > Kernel Key Retention Service[1] is a useful building block to build secure > > production key management systems. One of its interesting features is > > support for asymmetric keys: we can allow a process to use a certain key > > (decrypt or sign data) without actually allowing the process to read the > > cryptographic key material. By doing so we protect our code from certain > > type of attacks, where a process memory memory leak actually leaks a > > potentially highly sensitive cryptographic material. > > > > But unfortunately only RSA algorithm was supported until now, because > > in-kernel ECDSA implementation supported signature verifications only. > > > > This patchset implements in-kernel ECDSA signature generation and adds > > support for ECDSA signing in the key retention service. The key retention > > service support was taken out of a previous unmerged patchset from Lei He[2] > > > > [1]: https://www.kernel.org/doc/html/latest/security/keys/core.html > > [2]: https://patchwork.kernel.org/project/linux-crypto/list/?series=653034&state=* > > > > Ignat Korchagin (2): > > crypto: add ECDSA signature generation support > > crypto: add ECDSA test vectors from RFC 6979 > > > > lei he (2): > > crypto: pkcs8 parser support ECDSA private keys > > crypto: remove unused field in pkcs8_parse_context > > > > crypto/Kconfig | 3 +- > > crypto/Makefile | 4 +- > > crypto/asymmetric_keys/pkcs8.asn1 | 2 +- > > crypto/asymmetric_keys/pkcs8_parser.c | 46 +++- > > crypto/ecc.c | 9 +- > > crypto/ecdsa.c | 373 +++++++++++++++++++++++++- > > crypto/ecprivkey.asn1 | 6 + > > crypto/testmgr.c | 18 ++ > > crypto/testmgr.h | 333 +++++++++++++++++++++++ > > include/crypto/internal/ecc.h | 11 + > > 10 files changed, 788 insertions(+), 17 deletions(-) > > create mode 100644 crypto/ecprivkey.asn1 > > > > -- > > 2.36.1 > > I need acks for patches 3-4 from David. Thanks! Should I resend patches 1-2 here and maybe 3-4 to the linux-keyrings mailing list? > Email: Herbert Xu <herbert@gondor.apana.org.au> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt Ignat
On Tue, Sep 27, 2022 at 10:18:14PM +0100, Ignat Korchagin wrote: . > Should I resend patches 1-2 here and maybe 3-4 to the linux-keyrings > mailing list? I need acks to patches 3-4 because without a user we don't add new algorithms to the Crypto API. Thanks, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
© 2016 - 2026 Red Hat, Inc.