From: David Howells <dhowells@redhat.com>
To: "Elliott, Robert (Servers)" <elliott@hpe.com>
Cc: dhowells@redhat.com, Simo Sorce <simo@redhat.com>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
Ignat Korchagin <ignat@cloudflare.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Stephan Mueller <smueller@chronox.de>,
"torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
Paul Moore <paul@paul-moore.com>,
"Lukas Wunner" <lukas@wunner.de>,
Clemens Lang <cllang@redhat.com>,
David Bohannon <dbohanno@redhat.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: Module signing and post-quantum crypto public key algorithms
Date: Sat, 08 Nov 2025 07:46:55 +0000 [thread overview]
Message-ID: <534145.1762588015@warthog.procyon.org.uk> (raw)
In-Reply-To: <IA4PR84MB4011FE5ABA934DEF08F1A263ABC3A@IA4PR84MB4011.NAMPRD84.PROD.OUTLOOK.COM>
Elliott, Robert (Servers) <elliott@hpe.com> wrote:
> The traditional signature would use whatever algorithm is used today.
> Legacy verifiers would only check that.
Would there be any legacy verifiers? Kernel modules are generally tied to the
kernel version for which they were compiled. Granted there are things like
the wifi regulatory stuff that are also signed.
But note also, PKCS#7 supports multiple independent signatures in a single
object. The kernel will handle this already. At least one signature must be
verifiable and none must be blacklisted.
I assume that the main aim of using a composite algorithm is to share the
result of the content hash - but in this case only the authenticatedAttributes
are going to be hashed for the signature, and that's relatively small.
David
next prev parent reply other threads:[~2025-11-08 7:47 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-13 14:54 Module signing and post-quantum crypto public key algorithms David Howells
2025-06-13 15:21 ` Ignat Korchagin
2025-06-13 15:42 ` David Howells
2025-06-13 17:33 ` Simo Sorce
2025-06-13 17:50 ` James Bottomley
2025-06-13 17:55 ` Stephan Mueller
2025-06-16 14:02 ` Simo Sorce
2025-06-16 15:14 ` James Bottomley
2025-06-16 17:27 ` Simo Sorce
2025-06-19 18:49 ` Stefan Berger
2025-11-07 10:03 ` David Howells
2025-11-07 10:23 ` Stephan Mueller
2025-11-07 19:19 ` Stefan Berger
2025-11-07 23:10 ` Elliott, Robert (Servers)
2025-11-08 7:46 ` David Howells [this message]
2025-11-09 19:30 ` Elliott, Robert (Servers)
2025-11-11 16:14 ` Simo Sorce
2025-11-11 18:38 ` David Howells
2025-06-13 15:43 ` Linus Torvalds
2025-06-13 16:13 ` James Bottomley
2025-06-13 16:32 ` Roberto Sassu
2025-06-13 16:34 ` Stephan Mueller
2025-06-13 17:04 ` Eric Biggers
2025-06-19 12:31 ` Lukas Wunner
2025-06-19 23:22 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=534145.1762588015@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=cllang@redhat.com \
--cc=dbohanno@redhat.com \
--cc=elliott@hpe.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=simo@redhat.com \
--cc=smueller@chronox.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox