On Fri, 16 Dec 2022 at 20:55, Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > On Thu, Dec 08, 2022 at 09:37:29PM +0000, Luca Boccassi wrote: > > > > The second question is easy: because the kernel is the right place for > > our use case to do this verification and enforcement, exactly like dm- > > verity does. > > Well, dm-verity's in-kernel signature verification support is a fairly new > feature. Most users of dm-verity don't use it, and will not be using it. I'm not sure what you mean by "most users" - systemd has support for dm-verity signatures all over the place, libcryptsetup/veritysetup supports them, and even libmount has native first-class mount options for them. > > Userspace is largely untrusted, or much lower trust anyway. > > Yes, which means the kernel is highly trusted. Which is why parsing complex > binary formats, X.509 and PKCS#7, in C code in the kernel is not a great idea... Maybe, but it's there and it's used for multiple purposes and userspace relies on it. If you want to add a new alternative and optional formats I don't think it would be a problem, I certainly wouldn't mind. Kind regards, Luca Boccassi
