git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Marek Behún <kabel@kernel.org>
	Tue, 4 Feb 2025 13:14:15 +0000 (14:14 +0100)
committer	Arnd Bergmann <arnd@arndb.de>
	Thu, 20 Mar 2025 16:56:57 +0000 (17:56 +0100)
commit	ba8755ab541fc629948233125db870d4dbf00a75
tree	1d937f047d4ee1768e4f9db6c42d1de618be5940	tree
parent	4110ad034fb7438eb16e73e2f949bedfabfc9d66	commit \| diff

firmware: turris-mox-rwtm: Add support for ECDSA signatures with HW private key

Add support for digital message signing with the private key stored in
the rWTM secure coprocessor. Turris Mox devices have an ECDSA private
key generated and burned into rWTM eFuses when manufactured. This
private key is not readable from the rWTM, but rWTM firmware allows for
signing messages with it and retrieving the public key.

This is exposed to userspace via the keyctl API.

User can find the key by either looking at /proc/keys or listing the
keyring:

  $ cat /proc/keys
  0240b221 ... keyring   .turris-signing-keys: 1
  34ff9ac9 ... turris-si Turris MOX SN 0000000D30000005 rWTM ECDSA ke...

  $ keyctl rlist %:.turris-signing-keys
  889166537

To get the public key:

  $ keyctl read 889166537
  67 bytes of data in key:
  0201a05c 1a79242b 13f2fc02 b48ffdbb 6ee8d5ba 812d6784 5f04f302 c0894d3e
  b93474f9 46235777 5c926fb4 cce89b50 88cf5d10 c07fd9c5 fdcea257 3d8f1c33
  1bf826

To sign a message:

  $ dd if=/dev/urandom of=msg_to_sign bs=64 count=1
  $ keyctl pkey_sign 889166537 0 msg_to_sign >signature

Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>

drivers/firmware/Kconfig		diff \| blob \| blame \| history
drivers/firmware/turris-mox-rwtm.c		diff \| blob \| blame \| history