[Question] Non-usage of PKEY_ID_PGP and PKEY_ID_X509 in module signing

[Question] Non-usage of PKEY_ID_PGP and PKEY_ID_X509 in module signing

[Yunseong Kim]

I would like to inquire about the purpose of the PKEY_ID_PGP and
PKEY_ID_X509 identifiers defined in include/linux/module_signature.h.

The enum pkey_id_type is defined as follows:

 enum pkey_id_type {
     PKEY_ID_PGP,        /* OpenPGP generated key ID */
     PKEY_ID_X509,       /* X.509 arbitrary subjectKeyIdentifier */
     PKEY_ID_PKCS7,      /* Signature in PKCS#7 message */
 };

While examining the module signing and verification process, it appears
that the current implementation strictly assumes the use of PKCS#7, making
PKEY_ID_PGP and PKEY_ID_X509 seem unused in this context.

I observed the following:

1. In scripts/sign-file.c, the module_signature structure is explicitly
initialized assuming PKCS#7:

 /* Key identifier type [PKEY_ID_PKCS7] */
 struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };

2. In kernel/module_signature.c, the verification function mod_check_sig()
strictly enforces this type and rejects others:

 int mod_check_sig(const struct module_signature *ms, size_t file_len,
           const char *name)
 {
     if (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))
         return -EBADMSG;
 
     if (ms->id_type != PKEY_ID_PKCS7) {
         pr_err("%s: not signed with expected PKCS#7 message\n",
                name);
         return -ENOPKG;
     }
     // ...
 }


3. Furthermore, I noticed that certs/extract-cert.c only defines
   PKEY_ID_PKCS7 locally, seemingly without utilizing the definitions from
   the header for the other types:

#define PKEY_ID_PKCS7 2

Given that the module signature infrastructure seems hardcoded to use
PKCS#7, could anyone clarify if PKEY_ID_PGP and PKEY_ID_X509 are used
elsewhere in the kernel? Are they perhaps placeholders for future
implementations or remnants of past ones?

If they are indeed unused and there are no plans to support them, would
a patch to clean up these unused enum values be welcome? Or is there
another reason for keeping them?

Thank you for your time and clarification.


Best regards,
Yunseong Kim

Re: [Question] Non-usage of PKEY_ID_PGP and PKEY_ID_X509 in module signing

[Sami Tolvanen]

Hi,

On Tue, Aug 26, 2025 at 11:58 AM Yunseong Kim <ysk@kzalloc.com> wrote:
>
> Given that the module signature infrastructure seems hardcoded to use
> PKCS#7, could anyone clarify if PKEY_ID_PGP and PKEY_ID_X509 are used
> elsewhere in the kernel? Are they perhaps placeholders for future
> implementations or remnants of past ones?

If you search LKML archives, you'll find some past efforts to add PGP
signing support at least. The patches never ended up being merged
though. See the discussion here, for example:

https://lore.kernel.org/lkml/20220111180318.591029-1-roberto.sassu@huawei.com/

> If they are indeed unused and there are no plans to support them, would
> a patch to clean up these unused enum values be welcome? Or is there
> another reason for keeping them?

Perhaps the folks involved back then can chime in, but I'm fine with
removing these. I'm not sure how likely it is, but if someone at some
point makes a compelling case for supporting other key and signature
types, I'm sure they can add back the constants too.

Sami