Add nat20crypto module to linux examples#100
Open
werwurm wants to merge 34 commits into
Open
Conversation
Add a kernel module that provides libnat20 functionality to linux kernel modules. Also add a configuration to build a minimal linux image with buildroot and run in on qemu and a workflow to test build nat20lib.ko
This module creates a new character device class intended to implement the nat20 service protocol implementing DICE based device state attestation and an embedded CA.
The nat20crypto module implements the libnat20 crypto interface in terms of linux kernel crypto primitives. The module implements - deterministic ECDSA with curves P256 and P384. - Bytewise SHA-2 224/256/384/512 - HMAC - HKDF ED25519 is currently not supported.
LCOV of commit
|
There was a problem hiding this comment.
Pull request overview
This PR adds a new nat20crypto Linux kernel module example that implements the libnat20 crypto interface using Linux kernel primitives (notably SHA-2 and ECC), and wires it into the Buildroot-based Linux examples and CI so it is built and packaged alongside existing NAT20 components.
Changes:
- Introduce the
examples/linux/nat20cryptokernel module (digest + deterministic ECDSA + key handling glue). - Add a Buildroot package (
nat20crypto) and enable it in the QEMU Buildroot defconfig. - Extend developer tooling (
envsetup.sh) and CI workflow to rebuild/build and verifynat20crypto.ko.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| examples/linux/nat20crypto/nat20crypto.c | Implements the nat20 crypto context (digest, kdf, ECDSA signing, pubkey export, key lifecycle) on Linux. |
| examples/linux/nat20crypto/Makefile | Adds standalone build/install targets for the nat20crypto kernel module. |
| examples/linux/nat20crypto/Kbuild | Defines module build flags/includes and extra symbols dependency on nat20lib. |
| examples/linux/nat20crypto/include/nat20crypto.h | Exposes module entry points (open/close/make_secret) for consumers. |
| examples/linux/br_external/utils/envsetup.sh | Adds NAT20CRYPTO_OVERRIDE_SRCDIR and brrebuild nat20crypto support. |
| examples/linux/br_external/package/nat20crypto/nat20crypto.mk | Adds Buildroot packaging/build instructions for the nat20crypto kernel module. |
| examples/linux/br_external/package/nat20crypto/Config.in | Adds Buildroot Kconfig option for enabling nat20crypto. |
| examples/linux/br_external/configs/qemu_br_defconfig | Enables BR2_PACKAGE_NAT20CRYPTO=y in the QEMU Buildroot config. |
| examples/linux/br_external/Config.in | Registers the nat20crypto package Kconfig entry in the external tree. |
| .github/workflows/linux-kmod-build.yml | Builds and verifies nat20crypto.ko in CI. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…/linux_example_nat20device
…urm/linux_example_nat20crypto
…urm/linux_example_nat20crypto
seidelrj
requested changes
May 8, 2026
| /* This variant is used for ECC keys. */ | ||
| struct { | ||
| size_t ndigits; | ||
| uint64_t digits[6]; |
Contributor
There was a problem hiding this comment.
where does the 6 come from? is it 48 bytes for ECC-384?
| .size = context_size, | ||
| .buffer = context_buffer, | ||
| }, | ||
| 32, |
| }; | ||
| /* This variant is used for CDIs. */ | ||
| struct { | ||
| uint8_t bits[32]; |
Contributor
There was a problem hiding this comment.
constant for the 32 bytes (256 bit key). then the constant can be used for created the buffers in the kdf function.
| rc = n20_error_crypto_no_resources_e; | ||
| goto out; | ||
| } | ||
| memcpy(new_cdi_key->bits, derived, 32); |
| case n20_crypto_key_type_secp256r1_e: | ||
| case n20_crypto_key_type_secp384r1_e: { | ||
| n20_slice_t x_octets = { | ||
| .size = 32, |
| } | ||
|
|
||
| /* Mod Invert k */ | ||
| vli_mod_inv(k_inv, k, curve->n, ndigits); |
Contributor
There was a problem hiding this comment.
i feel like that its crazy that linux doesn't have a built-in ecc sign function and you have to do the math yourself.
Contributor
Author
There was a problem hiding this comment.
It kind of makes sense.This kind of functionality should really be delegated to secure elements. Checking signatures is different because it doesn't involve confidential key material.
timhirsh
approved these changes
May 8, 2026
Member
timhirsh
left a comment
timhirsh
left a comment
There was a problem hiding this comment.
Approving .github/workflows/linux-kmod-build.yml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The nat20crypto module implements the libnat20 crypto interface
in terms of linux kernel crypto primitives.
The module implements
ED25519 is currently not supported.