From: jejb@linux.vnet.ibm.com (James Bottomley)
To: linux-security-module@vger.kernel.org
Subject: [tpmdd-devel] in-kernel user of ecdsa
Date: Mon, 12 Mar 2018 14:55:35 -0700 [thread overview]
Message-ID: <1520891735.4522.45.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <31045526.HZb3ddfbbg@tauon.chronox.de>
On Mon, 2018-03-12 at 20:56 +0100, Stephan Mueller wrote:
> Am Montag, 12. M?rz 2018, 19:09:18 CET schrieb James Bottomley:
>
> Hi James,
>
> >
> > On Mon, 2018-03-12 at 19:07 +0200, Tudor Ambarus wrote:
> > >
> > > Hi,
> > >
> > > Would you consider using ECDSA in the kernel module signing
> > > facility? When compared with RSA, ECDSA has shorter keys, the key
> > > generation process is faster, the sign operation is faster, but
> > > the verify operation is slower than with RSA.
> >
> > You missed the keyrings list, which is where the module signing
> > utility is discussed.
> >
> > First question is, have you actually tried???It looks like sign-
> > file doesn't do anything RSA specific so if you give it an EC X.509
> > certificate it will produce an ECDSA signature.
> >
> > I think our kernel internal x509 parsers don't have the EC OIDs, so
> > signature verification will fail; but, especially since we have the
> > rest of the EC machinery in the crypto subsystem, that looks to be
> > simply fixable.
>
> ECDSA is not implemented currently in the kernel crypto API.
an ECDSA signature is produced as a ECDH operation using the DSA
algorithm instead of KDFe, so it's trivial with what we have; signature
verification involves a separate point addition but we have all the
primitives for this in crypto/ecc.c so adding it isn't really
difficult, is it?
James
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-03-12 21:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-12 17:07 in-kernel user of ecdsa Tudor Ambarus
2018-03-12 18:09 ` [tpmdd-devel] " James Bottomley
2018-03-12 19:56 ` Stephan Mueller
2018-03-12 21:55 ` James Bottomley [this message]
2018-03-12 21:57 ` Stephan Mueller
2018-03-26 14:59 ` Tudor Ambarus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1520891735.4522.45.camel@linux.vnet.ibm.com \
--to=jejb@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox