From: David Howells <dhowells@redhat.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
Stephan Mueller <smueller@chronox.de>,
Simo Sorce <simo@redhat.com>,
torvalds@linux-foundation.org, Paul Moore <paul@paul-moore.com>
Cc: dhowells@redhat.com, Lukas Wunner <lukas@wunner.de>,
Ignat Korchagin <ignat@cloudflare.com>,
Clemens Lang <cllang@redhat.com>,
David Bohannon <dbohanno@redhat.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Module signing and post-quantum crypto public key algorithms
Date: Fri, 13 Jun 2025 15:54:30 +0100 [thread overview]
Message-ID: <501216.1749826470@warthog.procyon.org.uk> (raw)
Hi,
So we need to do something about the impending quantum-related obsolescence of
the RSA signatures that we use for module signing, kexec, BPF signing, IMA and
a bunch of other things.
From my point of view, the simplest way would be to implement key verification
in the kernel for one (or more) of the available post-quantum algorithms (of
which there are at least three), driving this with appropriate changes to the
X.509 certificate to indicate that's what we want to use.
The good news is that Stephan Mueller has an implemementation that includes
kernel bits that we can use, or, at least, adapt:
https://github.com/smuellerDD/leancrypto/
Note that we only need the signature verification bits. One question, though:
he's done it as a standalone "leancrypto" module, not integrated into crypto/,
but should it be integrated into crypto/ or is the standalone fine?
The not so good news, as I understand it, though, is that the X.509 bits are
not yet standardised.
However! Not everyone agrees with this. An alternative proposal would rather
get the signature verification code out of the kernel entirely. Simo Sorce's
proposal, for example, AIUI, is to compile all the hashes we need into the
kernel at build time, possibly with a hashed hash list to be loaded later to
reduce the amount of uncompressible code in the kernel. If signatures are
needed at all, then this should be offloaded to a userspace program (which
would also have to be hashed and marked unptraceable and I think unswappable)
to do the checking.
I don't think we can dispense with signature checking entirely, though: we
need it for third party module loading, quick single-module driver updates and
all the non-module checking stuff. If it were to be done in userspace, this
might entail an upcall for each signature we want to check - either that, or
the kernel has to run a server process that it can delegate checking to.
It's also been suggested that PQ algorithms are really slow. For kernel
modules that might not matter too much as we may well not load more than 200
or so during boot - but there are other users that may get used more
frequently (IMA, for example).
Now, there's also a possible hybrid approach, if I understand Roberto Sassu's
proposal correctly, whereby it caches bundles of hashes obtained from, say,
the hashes included in an RPM. These bundles of hashes can be checked by
signature generated by the package signing process. This would reduce the PQ
overhead to checking a bundle and would also make IMA's measuring easier as
the hashes can be added in the right order, rather than being dependent on the
order that the binaries are used.
David
next reply other threads:[~2025-06-13 14:54 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-13 14:54 David Howells [this message]
2025-06-13 15:21 ` Module signing and post-quantum crypto public key algorithms Ignat Korchagin
2025-06-13 15:42 ` David Howells
2025-06-13 17:33 ` Simo Sorce
2025-06-13 17:50 ` James Bottomley
2025-06-13 17:55 ` Stephan Mueller
2025-06-16 14:02 ` Simo Sorce
2025-06-16 15:14 ` James Bottomley
2025-06-16 17:27 ` Simo Sorce
2025-06-19 18:49 ` Stefan Berger
2025-11-07 10:03 ` David Howells
2025-11-07 10:23 ` Stephan Mueller
2025-11-07 19:19 ` Stefan Berger
2025-11-07 23:10 ` Elliott, Robert (Servers)
2025-11-08 7:46 ` David Howells
2025-11-09 19:30 ` Elliott, Robert (Servers)
2025-11-11 16:14 ` Simo Sorce
2025-11-11 18:38 ` David Howells
2025-06-13 15:43 ` Linus Torvalds
2025-06-13 16:13 ` James Bottomley
2025-06-13 16:32 ` Roberto Sassu
2025-06-13 16:34 ` Stephan Mueller
2025-06-13 17:04 ` Eric Biggers
2025-06-19 12:31 ` Lukas Wunner
2025-06-19 23:22 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=501216.1749826470@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=cllang@redhat.com \
--cc=dbohanno@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=simo@redhat.com \
--cc=smueller@chronox.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).