Re: [RFC v3 21/27] crypto: ecdsa: Load early in boot

Next message: David Sterba: "[GIT PULL] Btrfs fixes for 7.0-rc3"
Previous message: Mark Brown: "linux-next: Tree for Mar 3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jonathan Cameron

Date: Tue Mar 03 2026 - 09:54:22 EST

On Wed, 11 Feb 2026 13:29:28 +1000
alistair23@xxxxxxxxx wrote:

> From: Alistair Francis <alistair.francis@xxxxxxx>
>
> Work is ongoing to support PCIe device attestation and authentication.
> As part of this probing a PCIe device will require signing via
> the SPDM protocol to the kernel.
>
> Linux should verify the device before enabling the device, which means we
> need the crypto functions to be ready before arch initilisation (where PCIe
> init happens). Move the crypto init to postcore to
> ensure it's loaded before PCIe devices.
>
> This allows us to verify the certificate chain provided by a PCIe device
> via SPDM before we enable it.
>
> Signed-off-by: Alistair Francis <alistair.francis@xxxxxxx>
Whilst others may disagree, I think it still makes sense to check
signatures against the provided public leaf cert even if we aren't
checking the cert chain in kernel. That will need this.

Reviewed-by: Jonathan Cameron <jonathan.cameron@xxxxxxxxxx>

> ---
> crypto/ecdsa.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
> index ce8e4364842f..b225911c5266 100644
> --- a/crypto/ecdsa.c
> +++ b/crypto/ecdsa.c
> @@ -334,7 +334,7 @@ static void __exit ecdsa_exit(void)
> crypto_unregister_sig(&ecdsa_nist_p521);
> }
>
> -module_init(ecdsa_init);
> +postcore_initcall(ecdsa_init);
> module_exit(ecdsa_exit);
>
> MODULE_LICENSE("GPL");