From: Eric Biggers <ebiggers@kernel.org>
To: Zhang Yiqun <zhangyiqun@phytium.com.cn>
Cc: dhowells@redhat.com, jarkko@kernel.org, corbet@lwn.net,
keyrings@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: Re: [PATCH] KEYS: Add ECDH support
Date: Sat, 30 Mar 2024 00:04:36 -0700 [thread overview]
Message-ID: <20240330070436.GA2116@sol.localdomain> (raw)
In-Reply-To: <20240330065506.3146-1-zhangyiqun@phytium.com.cn>
[+Cc linux-crypto]
On Sat, Mar 30, 2024 at 02:55:06PM +0800, Zhang Yiqun wrote:
> This patch is to introduce ECDH into keyctl syscall for
> userspace usage, containing public key generation and
> shared secret computation.
>
> It is mainly based on dh code, so it has the same condition
> to the input which only user keys is supported. The output
> result is storing into the buffer with the provided length.
>
> Signed-off-by: Zhang Yiqun <zhangyiqun@phytium.com.cn>
> ---
> Documentation/security/keys/core.rst | 62 ++++++
> include/linux/compat.h | 4 +
> include/uapi/linux/keyctl.h | 11 +
> security/keys/Kconfig | 12 +
> security/keys/Makefile | 2 +
> security/keys/compat_ecdh.c | 50 +++++
> security/keys/ecdh.c | 318 +++++++++++++++++++++++++++
> security/keys/internal.h | 44 ++++
> security/keys/keyctl.c | 10 +
> 9 files changed, 513 insertions(+)
> create mode 100644 security/keys/compat_ecdh.c
> create mode 100644 security/keys/ecdh.c
Nacked-by: Eric Biggers <ebiggers@google.com>
The existing KEYCTL_PKEY_*, KEYCTL_DH_COMPUTE, and AF_ALG are causing enough
problems. We do not need any more UAPIs like this. They are hard to maintain,
break often, not properly documented, increase the kernel's attack surface, and
what they do is better done in userspace.
Please refer to the recent thread
https://lore.kernel.org/linux-crypto/CZSHRUIJ4RKL.34T4EASV5DNJM@matfyz.cz/T/#u
where these issues were discussed in detail.
- Eric
next parent reply other threads:[~2024-03-30 7:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240330065506.3146-1-zhangyiqun@phytium.com.cn>
2024-03-30 7:04 ` Eric Biggers [this message]
2024-03-30 13:09 ` [PATCH] KEYS: Add ECDH support James Bottomley
2024-03-31 0:48 ` Eric Biggers
2024-03-31 2:38 ` Denis Kenzior
2024-03-31 2:38 ` Denis Kenzior
2024-03-31 13:01 ` James Bottomley
2024-03-31 15:44 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240330070436.GA2116@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=zhangyiqun@phytium.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).