Re: ECC keygen for PR #528 ("Attestation driver and proxy")

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nicolai Stange <nstange@suse.de>
To: Stefano Garzarella <sgarzare@redhat.com>
Cc: Nicolai Stange <nstange@suse.de>,
	 coconut-svsm@lists.linux.dev,
	 Tyler Fanelli <tfanelli@redhat.com>
Subject: Re: ECC keygen for PR #528 ("Attestation driver and proxy")
Date: Wed, 30 Apr 2025 00:46:01 +0200	[thread overview]
Message-ID: <87msbylh7a.fsf@> (raw)
In-Reply-To: <CAGxU2F5aM_GXbcbOocrwpsGS4H+1i7O9xM4MhKrx8ycGOgah=w@mail.gmail.com> (Stefano Garzarella's message of "Thu, 17 Apr 2025 16:27:00 +0200")

Hi Stefano,

Stefano Garzarella <sgarzare@redhat.com> writes:

> On Wed, 16 Apr 2025 at 16:08, Nicolai Stange <nstange@suse.de> wrote:
>>
>> I managed to carve out and cleanup the first batch ([1]) from my work on
>> an encrypted FS by now. The FS cleanup itself is still WIP, but the
>> crypto parts should be in a usable state.
>>
>> As mentioned on last week's svsm-devel call, it might help with
>> addressing those stack size related issues with ECC keygen in the
>> context of PR #528 ([2]).
>>
>> I prepared some example code for generating an ECC key with NIST P-521,
>> to be found at [3].
>>
>> From some lax experiments in userspace, peak stack usage is at about 2.3kB.
>> (Which is still way above what I would have expected, given that no
>>  buffers are stored on the stack. I'm currently investigating that).
>>
>> I'm not sure whether merely generating the key is all you need -- FWIW
>> there's also support for ecdh, ecdsa and ecschnorr, in case you're
>> wondering. I'd be happy to come up with some example code for these as
>> well.
>>
>> Please let me know if you have any questions, either here or in today's
>> call.
>
> Cool, thanks for the example code, I guess this can unlock for now
> Tyler's PR and FS support, but as we discussed yesterday in the
> community call, the long term plan is to use OpenSSL/BoringSSL. I'll
> open an issue ASAP to track that work, and I'll start to investigate
> it.

I've implemented a BoringSSL FFI backend as a configurable alternative
to the cocoon-tpm-crypto now (example code is updated accodingly), and
did a POC integration into SVSM, c.f. [4]. Good news is it still boots :)

Thanks,

Nicolai

[4] https://github.com/nicstange/svsm/tree/cocoon-tpm-crypto-integration-poc

>>
>> [1] https://github.com/nicstange/cocoon-tpm
>> [2] https://github.com/coconut-svsm/svsm/pull/528
>> [3] https://github.com/nicstange/cocoon-tpm-crypto-ec-key-gen-demo
>>

-- 
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)

next prev parent reply	other threads:[~2025-04-29 22:46 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <25558.125041610080302253@us-mta-166.us.mimecast.lan>
2025-04-17 14:27 ` ECC keygen for PR #528 ("Attestation driver and proxy") Stefano Garzarella
2025-04-29 22:46   ` Nicolai Stange [this message]
     [not found]   ` <96587.125042918523400199@us-mta-360.us.mimecast.lan>
2025-04-30  4:47     ` Tyler Fanelli
2025-04-30  5:20       ` Nicolai Stange
     [not found]       ` <23479.125043001203100291@us-mta-656.us.mimecast.lan>
2025-04-30 10:30         ` Stefano Garzarella
2025-04-16 14:07 Nicolai Stange

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87msbylh7a.fsf@ \
    --to=nstange@suse.de \
    --cc=coconut-svsm@lists.linux.dev \
    --cc=sgarzare@redhat.com \
    --cc=tfanelli@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.