On Sat, Aug 28, 2021 at 01:03:10AM +0000, Aleksander Adamowski wrote: > Hi Eric! > > I'm not particularly familiar with the OpenSSL PKCS#11 engine, but this patch > > looks reasonable at a high level (assuming that you really want to use the > > kernel's built-in fs-verity signature verification support -- I've been trying > > to encourage people to do userspace signature verification instead). > > We are currently going forward with in-kernel sig verification (and btrfs), but > I'd love to hear more about the userspace support you mention. > Well, there isn't much to explain about it. Userspace could just store whatever signature it wants to in a separate file or in an xattr, and verify it at the same time it checks the fs-verity bit which it must already be doing. Then there's no need for PKCS#7 or RSA in the kernel, and any signature algorithms could be used -- not just the ones the kernel supports. Also no need for PKCS#7; something simpler could be used. In retrospect I probably shouldn't have implemented the in-kernel signature verification at all, as now everyone wants to use it even though it's a bad design and was just meant as a proof of concept. They see it and think "I want signatures, so I'll use it", without considering better ways to do signatures. - Eric
|