Re: [PATCH 00/14] KEYS: Add support for PGP keys and signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11.01.2022 19:03, Roberto Sassu wrote:
Support for PGP keys and signatures was proposed by David long time ago,
before the decision of using PKCS#7 for kernel modules signatures
verification was made. After that, there has been not enough interest to
support PGP too.

Lately, when discussing a proposal of introducing fsverity signatures in
Fedora [1], developers expressed their preference on not having a separate
key for signing, which would complicate the management of the distribution.
They would be more in favor of using the same PGP key, currently used for
signing RPM headers, also for file-based signatures (not only fsverity, but
also IMA ones).

Aren't PGP keys simply RSA / ECC / EdDSA keys with additional metadata?
Can't they be unwrapped from their (complex) PGP format in userspace and
loaded raw into the kernel, in a similar way as they are sometimes used
for SSH authentication?

This will save us from having to add complex parsers (a well-known source
of bugs) into the kernel - I guess there aren't any plans to add an
in-kernel PGP Web of Trust implementation.

Thanks,
Maciej



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux