From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Bottomley Date: Mon, 12 Mar 2018 18:09:18 +0000 Subject: Re: [tpmdd-devel] in-kernel user of ecdsa Message-Id: <1520878158.4522.31.camel@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="ibm852" Content-Transfer-Encoding: base64 List-Id: References: <0f698592-8ade-14d4-7891-1c35501c6285@microchip.com> In-Reply-To: <0f698592-8ade-14d4-7891-1c35501c6285@microchip.com> To: Tudor Ambarus , David Howells , dwmw2@infradead.org, keyrings@vger.kernel.org Cc: "bluez mailin list (linux-bluetooth@vger.kernel.org)" , linux-security-module@vger.kernel.org, tpmdd-devel@lists.sourceforge.net, Linux Crypto Mailing List T24gTW9uLCAyMDE4LTAzLTEyIGF0IDE5OjA3ICswMjAwLCBUdWRvciBBbWJhcnVzIHdyb3RlOgo+ IEhpLAo+IAo+IFdvdWxkIHlvdSBjb25zaWRlciB1c2luZyBFQ0RTQSBpbiB0aGUga2VybmVsIG1v ZHVsZSBzaWduaW5nIGZhY2lsaXR5Pwo+IFdoZW4gY29tcGFyZWQgd2l0aCBSU0EsIEVDRFNBIGhh cyBzaG9ydGVyIGtleXMsIHRoZSBrZXkgZ2VuZXJhdGlvbgo+IHByb2Nlc3MgaXMgZmFzdGVyLCB0 aGUgc2lnbiBvcGVyYXRpb24gaXMgZmFzdGVyLCBidXQgdGhlIHZlcmlmeQo+IG9wZXJhdGlvbiBp cyBzbG93ZXIgdGhhbiB3aXRoIFJTQS4KCllvdSBtaXNzZWQgdGhlIGtleXJpbmdzIGxpc3QsIHdo aWNoIGlzIHdoZXJlIHRoZSBtb2R1bGUgc2lnbmluZyB1dGlsaXR5CmlzIGRpc2N1c3NlZC4KCkZp cnN0IHF1ZXN0aW9uIGlzLCBoYXZlIHlvdSBhY3R1YWxseSB0cmllZD8gwqBJdCBsb29rcyBsaWtl IHNpZ24tZmlsZQpkb2Vzbid0IGRvIGFueXRoaW5nIFJTQSBzcGVjaWZpYyBzbyBpZiB5b3UgZ2l2 ZSBpdCBhbiBFQyBYLjUwOQpjZXJ0aWZpY2F0ZSBpdCB3aWxsIHByb2R1Y2UgYW4gRUNEU0Egc2ln bmF0dXJlLgoKSSB0aGluayBvdXIga2VybmVsIGludGVybmFsIHg1MDkgcGFyc2VycyBkb24ndCBo YXZlIHRoZSBFQyBPSURzLCBzbwpzaWduYXR1cmUgdmVyaWZpY2F0aW9uIHdpbGwgZmFpbDsgYnV0 LCBlc3BlY2lhbGx5IHNpbmNlIHdlIGhhdmUgdGhlCnJlc3Qgb2YgdGhlIEVDIG1hY2hpbmVyeSBp biB0aGUgY3J5cHRvIHN1YnN5c3RlbSwgdGhhdCBsb29rcyB0byBiZQpzaW1wbHkgZml4YWJsZS4K CkphbWVzCgotLQpUbyB1bnN1YnNjcmliZSBmcm9tIHRoaXMgbGlzdDogc2VuZCB0aGUgbGluZSAi dW5zdWJzY3JpYmUga2V5cmluZ3MiIGluCnRoZSBib2R5IG9mIGEgbWVzc2FnZSB0byBtYWpvcmRv bW9Admdlci5rZXJuZWwub3JnCk1vcmUgbWFqb3Jkb21vIGluZm8gYXQgIGh0dHA6Ly92Z2VyLmtl cm5lbC5vcmcvbWFqb3Jkb21vLWluZm8uaHRtbA== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Subject: Re: [tpmdd-devel] in-kernel user of ecdsa From: James Bottomley To: Tudor Ambarus , David Howells , dwmw2@infradead.org, keyrings@vger.kernel.org Cc: "bluez mailin list (linux-bluetooth@vger.kernel.org)" , linux-security-module@vger.kernel.org, tpmdd-devel@lists.sourceforge.net, Linux Crypto Mailing List , keyrings@vger.kernel.org Date: Mon, 12 Mar 2018 11:09:18 -0700 In-Reply-To: <0f698592-8ade-14d4-7891-1c35501c6285@microchip.com> References: <0f698592-8ade-14d4-7891-1c35501c6285@microchip.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Message-Id: <1520878158.4522.31.camel@linux.vnet.ibm.com> Sender: linux-crypto-owner@vger.kernel.org List-ID: On Mon, 2018-03-12 at 19:07 +0200, Tudor Ambarus wrote: > Hi, > > Would you consider using ECDSA in the kernel module signing facility? > When compared with RSA, ECDSA has shorter keys, the key generation > process is faster, the sign operation is faster, but the verify > operation is slower than with RSA. You missed the keyrings list, which is where the module signing utility is discussed. First question is, have you actually tried?  It looks like sign-file doesn't do anything RSA specific so if you give it an EC X.509 certificate it will produce an ECDSA signature. I think our kernel internal x509 parsers don't have the EC OIDs, so signature verification will fail; but, especially since we have the rest of the EC machinery in the crypto subsystem, that looks to be simply fixable. James From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Bottomley Subject: Re: in-kernel user of ecdsa Date: Mon, 12 Mar 2018 11:09:18 -0700 Message-ID: <1520878158.4522.31.camel@linux.vnet.ibm.com> References: <0f698592-8ade-14d4-7891-1c35501c6285@microchip.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Cc: "bluez mailin list \(linux-bluetooth-u79uwXL29TY76Z2rM5mHXA@public.gmane.org\)" , linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org, keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Linux Crypto Mailing List To: Tudor Ambarus , David Howells , dwmw2-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org, keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Return-path: In-Reply-To: <0f698592-8ade-14d4-7891-1c35501c6285-UWL1GkI3JZL3oGB3hsPCZA@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org List-Id: linux-crypto.vger.kernel.org T24gTW9uLCAyMDE4LTAzLTEyIGF0IDE5OjA3ICswMjAwLCBUdWRvciBBbWJhcnVzIHdyb3RlOgo+ IEhpLAo+IAo+IFdvdWxkIHlvdSBjb25zaWRlciB1c2luZyBFQ0RTQSBpbiB0aGUga2VybmVsIG1v ZHVsZSBzaWduaW5nIGZhY2lsaXR5Pwo+IFdoZW4gY29tcGFyZWQgd2l0aCBSU0EsIEVDRFNBIGhh cyBzaG9ydGVyIGtleXMsIHRoZSBrZXkgZ2VuZXJhdGlvbgo+IHByb2Nlc3MgaXMgZmFzdGVyLCB0 aGUgc2lnbiBvcGVyYXRpb24gaXMgZmFzdGVyLCBidXQgdGhlIHZlcmlmeQo+IG9wZXJhdGlvbiBp cyBzbG93ZXIgdGhhbiB3aXRoIFJTQS4KCllvdSBtaXNzZWQgdGhlIGtleXJpbmdzIGxpc3QsIHdo aWNoIGlzIHdoZXJlIHRoZSBtb2R1bGUgc2lnbmluZyB1dGlsaXR5CmlzIGRpc2N1c3NlZC4KCkZp cnN0IHF1ZXN0aW9uIGlzLCBoYXZlIHlvdSBhY3R1YWxseSB0cmllZD8gwqBJdCBsb29rcyBsaWtl IHNpZ24tZmlsZQpkb2Vzbid0IGRvIGFueXRoaW5nIFJTQSBzcGVjaWZpYyBzbyBpZiB5b3UgZ2l2 ZSBpdCBhbiBFQyBYLjUwOQpjZXJ0aWZpY2F0ZSBpdCB3aWxsIHByb2R1Y2UgYW4gRUNEU0Egc2ln bmF0dXJlLgoKSSB0aGluayBvdXIga2VybmVsIGludGVybmFsIHg1MDkgcGFyc2VycyBkb24ndCBo YXZlIHRoZSBFQyBPSURzLCBzbwpzaWduYXR1cmUgdmVyaWZpY2F0aW9uIHdpbGwgZmFpbDsgYnV0 LCBlc3BlY2lhbGx5IHNpbmNlIHdlIGhhdmUgdGhlCnJlc3Qgb2YgdGhlIEVDIG1hY2hpbmVyeSBp biB0aGUgY3J5cHRvIHN1YnN5c3RlbSwgdGhhdCBsb29rcyB0byBiZQpzaW1wbHkgZml4YWJsZS4K CkphbWVzCgoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCkNoZWNrIG91dCB0aGUgdmlicmFudCB0ZWNo IGNvbW11bml0eSBvbiBvbmUgb2YgdGhlIHdvcmxkJ3MgbW9zdAplbmdhZ2luZyB0ZWNoIHNpdGVz LCBTbGFzaGRvdC5vcmchIGh0dHA6Ly9zZG0ubGluay9zbGFzaGRvdApfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwp0cG1kZC1kZXZlbCBtYWlsaW5nIGxpc3QK dHBtZGQtZGV2ZWxAbGlzdHMuc291cmNlZm9yZ2UubmV0Cmh0dHBzOi8vbGlzdHMuc291cmNlZm9y Z2UubmV0L2xpc3RzL2xpc3RpbmZvL3RwbWRkLWRldmVsCg== From mboxrd@z Thu Jan 1 00:00:00 1970 From: jejb@linux.vnet.ibm.com (James Bottomley) Date: Mon, 12 Mar 2018 11:09:18 -0700 Subject: [tpmdd-devel] in-kernel user of ecdsa In-Reply-To: <0f698592-8ade-14d4-7891-1c35501c6285@microchip.com> References: <0f698592-8ade-14d4-7891-1c35501c6285@microchip.com> Message-ID: <1520878158.4522.31.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Mon, 2018-03-12 at 19:07 +0200, Tudor Ambarus wrote: > Hi, > > Would you consider using ECDSA in the kernel module signing facility? > When compared with RSA, ECDSA has shorter keys, the key generation > process is faster, the sign operation is faster, but the verify > operation is slower than with RSA. You missed the keyrings list, which is where the module signing utility is discussed. First question is, have you actually tried? ?It looks like sign-file doesn't do anything RSA specific so if you give it an EC X.509 certificate it will produce an ECDSA signature. I think our kernel internal x509 parsers don't have the EC OIDs, so signature verification will fail; but, especially since we have the rest of the EC machinery in the crypto subsystem, that looks to be simply fixable. James -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Bottomley Subject: Re: in-kernel user of ecdsa Date: Mon, 12 Mar 2018 11:09:18 -0700 Message-ID: <1520878158.4522.31.camel@linux.vnet.ibm.com> References: <0f698592-8ade-14d4-7891-1c35501c6285@microchip.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <0f698592-8ade-14d4-7891-1c35501c6285-UWL1GkI3JZL3oGB3hsPCZA@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org To: Tudor Ambarus , David Howells , dwmw2-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org Cc: "bluez mailin list (linux-bluetooth-u79uwXL29TY76Z2rM5mHXA@public.gmane.org)" , linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org, keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Linux Crypto Mailing List List-Id: tpmdd-devel@lists.sourceforge.net T24gTW9uLCAyMDE4LTAzLTEyIGF0IDE5OjA3ICswMjAwLCBUdWRvciBBbWJhcnVzIHdyb3RlOgo+ IEhpLAo+IAo+IFdvdWxkIHlvdSBjb25zaWRlciB1c2luZyBFQ0RTQSBpbiB0aGUga2VybmVsIG1v ZHVsZSBzaWduaW5nIGZhY2lsaXR5Pwo+IFdoZW4gY29tcGFyZWQgd2l0aCBSU0EsIEVDRFNBIGhh cyBzaG9ydGVyIGtleXMsIHRoZSBrZXkgZ2VuZXJhdGlvbgo+IHByb2Nlc3MgaXMgZmFzdGVyLCB0 aGUgc2lnbiBvcGVyYXRpb24gaXMgZmFzdGVyLCBidXQgdGhlIHZlcmlmeQo+IG9wZXJhdGlvbiBp cyBzbG93ZXIgdGhhbiB3aXRoIFJTQS4KCllvdSBtaXNzZWQgdGhlIGtleXJpbmdzIGxpc3QsIHdo aWNoIGlzIHdoZXJlIHRoZSBtb2R1bGUgc2lnbmluZyB1dGlsaXR5CmlzIGRpc2N1c3NlZC4KCkZp cnN0IHF1ZXN0aW9uIGlzLCBoYXZlIHlvdSBhY3R1YWxseSB0cmllZD8gwqBJdCBsb29rcyBsaWtl IHNpZ24tZmlsZQpkb2Vzbid0IGRvIGFueXRoaW5nIFJTQSBzcGVjaWZpYyBzbyBpZiB5b3UgZ2l2 ZSBpdCBhbiBFQyBYLjUwOQpjZXJ0aWZpY2F0ZSBpdCB3aWxsIHByb2R1Y2UgYW4gRUNEU0Egc2ln bmF0dXJlLgoKSSB0aGluayBvdXIga2VybmVsIGludGVybmFsIHg1MDkgcGFyc2VycyBkb24ndCBo YXZlIHRoZSBFQyBPSURzLCBzbwpzaWduYXR1cmUgdmVyaWZpY2F0aW9uIHdpbGwgZmFpbDsgYnV0 LCBlc3BlY2lhbGx5IHNpbmNlIHdlIGhhdmUgdGhlCnJlc3Qgb2YgdGhlIEVDIG1hY2hpbmVyeSBp biB0aGUgY3J5cHRvIHN1YnN5c3RlbSwgdGhhdCBsb29rcyB0byBiZQpzaW1wbHkgZml4YWJsZS4K CkphbWVzCgoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCkNoZWNrIG91dCB0aGUgdmlicmFudCB0ZWNo IGNvbW11bml0eSBvbiBvbmUgb2YgdGhlIHdvcmxkJ3MgbW9zdAplbmdhZ2luZyB0ZWNoIHNpdGVz LCBTbGFzaGRvdC5vcmchIGh0dHA6Ly9zZG0ubGluay9zbGFzaGRvdApfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwp0cG1kZC1kZXZlbCBtYWlsaW5nIGxpc3QK dHBtZGQtZGV2ZWxAbGlzdHMuc291cmNlZm9yZ2UubmV0Cmh0dHBzOi8vbGlzdHMuc291cmNlZm9y Z2UubmV0L2xpc3RzL2xpc3RpbmZvL3RwbWRkLWRldmVsCg==