On Fri, Jun 3, 2022 at 5:44 PM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote: > > > > Your bpf_map_verify_value_sig hard codes the type of signature > > (bpf_map_verify_value_sig as verify_pkcs7_signature) > > its implementation. This is not extensible. > > It is hardcoded now, but it wouldn't if there are more verification > functions. For example, if 'id_type' of module_signature is set > to PKEY_ID_PGP, bpf_map_verify_value_sig() would call > verify_pgp_signature() (assuming that support for PGP keys and > signatures is added to the kernel). I agree with KP. All hard coded things are hurting extensibility. we just need a helper that calls verify_pkcs7_signature where prog will specify len, keyring, etc.
