From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752892AbbLJV4g (ORCPT ); Thu, 10 Dec 2015 16:56:36 -0500 Received: from e28smtp08.in.ibm.com ([125.16.236.8]:36246 "EHLO e28smtp08.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751072AbbLJV4e (ORCPT ); Thu, 10 Dec 2015 16:56:34 -0500 X-IBM-Helo: d28dlp02.in.ibm.com X-IBM-MailFrom: zohar@linux.vnet.ibm.com X-IBM-RcptTo: linux-crypto@vger.kernel.org;linux-kernel@vger.kernel.org;linux-security-module@vger.kernel.org Message-ID: <1449784577.5028.2.camel@linux.vnet.ibm.com> Subject: Re: [PATCH 0/2] crypto: KEYS: convert public key to akcipher api From: Mimi Zohar To: Tadeusz Struk Cc: herbert@gondor.apana.org.au, dhowells@redhat.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-crypto@vger.kernel.org Date: Thu, 10 Dec 2015 16:56:17 -0500 In-Reply-To: <1449776225.4183.1.camel@linux.vnet.ibm.com> References: <20151209235226.11783.57073.stgit@tstruk-mobl1> <1449771957.2694.2.camel@linux.vnet.ibm.com> <5669C6E4.8030002@intel.com> <1449776225.4183.1.camel@linux.vnet.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 15121021-0029-0000-0000-000009B07032 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2015-12-10 at 14:37 -0500, Mimi Zohar wrote: > On Thu, 2015-12-10 at 10:39 -0800, Tadeusz Struk wrote: > > Hi Mimi, > > On 12/10/2015 10:25 AM, Mimi Zohar wrote: > > >> This patch set converts the module verification and digital signature > > >> > code to the new akcipher API. > > >> > RSA implementation has been removed from crypto/asymmetric_keys and the > > >> > new API is used for cryptographic primitives. > > >> > There is no need for MPI above the akcipher API anymore. > > >> > Modules can be verified with software as well as HW RSA implementations. > > > With these two patches my system doesn't even boot. Digging deeper... > > > > > > > It needs RSA implementation built-in. > > Could you check if you have CONFIG_CRYPTO_RSA=y > > The diff between this config and the previous one: > < CONFIG_CRYPTO_AKCIPHER=y > < CONFIG_CRYPTO_RSA=y > --- > > # CONFIG_CRYPTO_RSA is not set FYI, dracut loaded the keys on the IMA keyring properly. When we try to pivot root, real root /sbin/init fails appraisal. The audit subsystem is showing "invalid-signature". There's no additional debugging information with the boot command line options rd.debug or systemd.log_level=debug. Mimi