summaryrefslogtreecommitdiffstats
path: root/certs/Kconfig
diff options
context:
space:
mode:
authorStefan Berger <stefanb@linux.ibm.com>2021-06-29 17:34:21 -0400
committerJarkko Sakkinen <jarkko@kernel.org>2021-08-23 19:55:42 +0300
commita4aed36ed5924a05ecfadc470584188bfba2b928 (patch)
treefa716ef69d3f3ff29aeae2019b6c74164eac5557 /certs/Kconfig
parentea35e0d5df6c92fa2e124bb1b91d09b2240715ba (diff)
downloadlinux-a4aed36ed5924a05ecfadc470584188bfba2b928.tar.gz
linux-a4aed36ed5924a05ecfadc470584188bfba2b928.tar.bz2
linux-a4aed36ed5924a05ecfadc470584188bfba2b928.zip
certs: Add support for using elliptic curve keys for signing modules
Add support for using elliptic curve keys for signing modules. It uses a NIST P384 (secp384r1) key if the user chooses an elliptic curve key and will have ECDSA support built into the kernel. Note: A developer choosing an ECDSA key for signing modules should still delete the signing key (rm certs/signing_key.*) when building an older version of a kernel that only supports RSA keys. Unless kbuild automati- cally detects and generates a new kernel module key, ECDSA-signed kernel modules will fail signature verification. Cc: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'certs/Kconfig')
-rw-r--r--certs/Kconfig26
1 files changed, 26 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig
index f4e61116f94e..ae7f2e876a31 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -15,6 +15,32 @@ config MODULE_SIG_KEY
then the kernel will automatically generate the private key and
certificate as described in Documentation/admin-guide/module-signing.rst
+choice
+ prompt "Type of module signing key to be generated"
+ default MODULE_SIG_KEY_TYPE_RSA
+ help
+ The type of module signing key type to generate. This option
+ does not apply if a #PKCS11 URI is used.
+
+config MODULE_SIG_KEY_TYPE_RSA
+ bool "RSA"
+ depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
+ help
+ Use an RSA key for module signing.
+
+config MODULE_SIG_KEY_TYPE_ECDSA
+ bool "ECDSA"
+ select CRYPTO_ECDSA
+ depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
+ help
+ Use an elliptic curve key (NIST P384) for module signing. Consider
+ using a strong hash like sha256 or sha384 for hashing modules.
+
+ Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem,
+ when falling back to building Linux 5.14 and older kernels.
+
+endchoice
+
config SYSTEM_TRUSTED_KEYRING
bool "Provide system-wide ring of trusted keys"
depends on KEYS