On Sun, Sep 15, 2024 at 09:11:04AM +0200, Linus Torvalds wrote: > > So honestly, just the series adding pgp key verification I have no > objection to. The use case where some firmware uses pgp to validate > allowed keys in EFI variables etc sounds like a "ok, then we need to > parse them". The use-case for EFI variables appears to be invalid: https://lore.kernel.org/all/CAMj1kXH8nWtAzX+9xc2tLyy5d0w==JNQCMJBAbL=LdcF+XrYkw@xxxxxxxxxxxxxx/ > The objections I had were against the whole "start doing policy in > kernel", with what sounded like actually parsing and unpacking rpm > contents and verifying them with a pgp key. *That* still sounds like a > disaster to me, and is the part that made me go "why isn't that done > in user space together with then generating the fsverifty > information"? If the aformentioned EFI use-case is bogus, then distro package verification is going to be the only application for PGP keys in the kernel. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
