Re: [RFC 6/8] KEYS: PGP data parser

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2024-02-16 at 09:08 -0800, H. Peter Anvin wrote:
> On February 16, 2024 8:53:01 AM PST, Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> wrote:
> > On Fri, 2024-02-16 at 16:44 +0000, Matthew Wilcox wrote:
> > > On Fri, Feb 16, 2024 at 04:24:33PM +0100, Petr Tesarik wrote:
> > > > From: David Howells <dhowells@xxxxxxxxxx>
> > > > 
> > > > Implement a PGP data parser for the crypto key type to use when
> > > > instantiating a key.
> > > > 
> > > > This parser attempts to parse the instantiation data as a PGP packet
> > > > sequence (RFC 4880) and if it parses okay, attempts to extract a public-key
> > > > algorithm key or subkey from it.
> > > 
> > > I don't understand why we want to do this in-kernel instead of in
> > > userspace and then pass in the actual key.
> > 
> > Sigh, this is a long discussion.
> > 
> > PGP keys would be used as a system-wide trust anchor to verify RPM
> > package headers, which already contain file digests that can be used as
> > reference values for kernel-enforced integrity appraisal.
> > 
> > With the assumptions that:
> > 
> > - In a locked-down system the kernel has more privileges than root
> > - The kernel cannot offload this task to an user space process due to
> >  insufficient isolation
> > 
> > the only available option is to do it in the kernel (that is what I got
> > as suggestion).
> > 
> > Roberto
> > 
> > 
> 
> Ok, at least one of those assumptions is false, and *definitely* this approach seems to be a solution in search of a problem.

I'm looking for a solution to this for a long time. Could you please
explain?

Thanks

Roberto






[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux