From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE80D261588 for ; Sat, 8 Nov 2025 07:47:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762588033; cv=none; b=OD6EECWol0jSUeqaVhbG43L9Pvfv/H646ItS7RO96hvOH4wfERrqRQU0quTo22/HGPDLvGKkGwO5dpk4cTT1O8APDuvALA1Rb+bzs7EZU9cH3M1vTuzhF9DSOq0LsfDYmG/Wpw4iWj2M7eId78qlHre0LcM6lvc4Dof0TYegsvc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762588033; c=relaxed/simple; bh=vjl5287hLRl4njUWMlv0qb8EzZ29/CVnyQo9ZCMLklI=; h=From:In-Reply-To:References:To:Cc:Subject:MIME-Version: Content-Type:Date:Message-ID; b=sXxeBQITUc879e0M98VVU1af0tdIZETBtbo/ckAwDWAPp+MLuAUEck6L/T91mSNOO83AgHH0tOsiM5Vl/W6kkcFmVbhw4gA15/WG3zEUh0rp6ejke90IUsmol83+48GORzcPwSfLiCKd7gyqg8eD8rs33IulYTUaJatXGjMGrg0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ON8Cu2fL; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ON8Cu2fL" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762588029; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=LuKEqEw6DZ48I+qyPJwUdxthKmamUkZDEAoTdVuzEGw=; b=ON8Cu2fL2oDMuB21Sa+NoTiQn3/zunTdtkw0CCtTmK9C0MhB1BoM2B7kzSVSuYavSMcGM1 IirRgMcAmTzKzLgTsxENiB3wtnh7t87CFjL/B+6APi7RPgdyo3imoyk0iND0Nv5PlNdri9 PT/VOhdhkbxTbjyyQxI+HQFk3RJyNvs= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-672-c5kGRIReN4S2LGPD9BPeHQ-1; Sat, 08 Nov 2025 02:47:06 -0500 X-MC-Unique: c5kGRIReN4S2LGPD9BPeHQ-1 X-Mimecast-MFC-AGG-ID: c5kGRIReN4S2LGPD9BPeHQ_1762588024 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 486751800650; Sat, 8 Nov 2025 07:47:03 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.42.28.6]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 99900180087C; Sat, 8 Nov 2025 07:46:56 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <501216.1749826470@warthog.procyon.org.uk> <3081793dc1d846dccef07984520fc544f709ca84.camel@HansenPartnership.com> <7ad6d5f61d6cd602241966476252599800c6a304.camel@redhat.com> <69775877d04b8ee9f072adfd2c595187997e59fb.camel@HansenPartnership.com> <3d650cc9ff07462e5c55cc3d9c0da72a3f2c5df2.camel@redhat.com> To: "Elliott, Robert (Servers)" Cc: dhowells@redhat.com, Simo Sorce , James Bottomley , Ignat Korchagin , Herbert Xu , Stephan Mueller , "torvalds@linux-foundation.org" , Paul Moore , "Lukas Wunner" , Clemens Lang , David Bohannon , Roberto Sassu , "keyrings@vger.kernel.org" , "linux-crypto@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: Module signing and post-quantum crypto public key algorithms Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <534144.1762588015.1@warthog.procyon.org.uk> Date: Sat, 08 Nov 2025 07:46:55 +0000 Message-ID: <534145.1762588015@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Elliott, Robert (Servers) wrote: > The traditional signature would use whatever algorithm is used today. > Legacy verifiers would only check that. Would there be any legacy verifiers? Kernel modules are generally tied to the kernel version for which they were compiled. Granted there are things like the wifi regulatory stuff that are also signed. But note also, PKCS#7 supports multiple independent signatures in a single object. The kernel will handle this already. At least one signature must be verifiable and none must be blacklisted. I assume that the main aim of using a composite algorithm is to share the result of the content hash - but in this case only the authenticatedAttributes are going to be hashed for the signature, and that's relatively small. David