From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Jonathan McDowell <noodles@earth.li>
Cc: dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
linux-kernel@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, zohar@linux.ibm.com,
linux-integrity@vger.kernel.org,
Roberto Sassu <roberto.sassu@huawei.com>,
adrian@suse.de, ro@suse.de
Subject: Re: [PATCH v2 00/14] KEYS: Add support for PGP keys and signatures
Date: Tue, 10 Sep 2024 16:51:22 +0200 [thread overview]
Message-ID: <6c7e34b65d73e9fa2ba0fd39b357b9eb42ee0449.camel@huaweicloud.com> (raw)
In-Reply-To: <a9502b8097841c36ca13871b22149eadd3fde355.camel@huaweicloud.com>
On Tue, 2024-09-10 at 16:36 +0200, Roberto Sassu wrote:
> On Tue, 2024-08-20 at 15:12 +0100, Jonathan McDowell wrote:
> > On Mon, Aug 19, 2024 at 05:15:02PM +0200, Roberto Sassu wrote:
> > > On Mon, 2024-08-19 at 16:08 +0100, Jonathan McDowell wrote:
> > > > On Sun, Aug 18, 2024 at 06:57:42PM +0200, Roberto Sassu wrote:
> > > > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > > > >
> > > > > Support for PGP keys and signatures was proposed by David long time ago,
> > > > > before the decision of using PKCS#7 for kernel modules signatures
> > > > > verification was made. After that, there has been not enough interest to
> > > > > support PGP too.
> > > >
> > > > You might want to update the RFC/bis references to RFC9580, which was
> > > > published last month and updates things.
> > >
> > > Yes, makes sense (but probably isn't too much hassle to support more
> > > things for our purposes?)
> >
> > I'm mostly suggesting that the comments/docs point to the latest
> > standard rather than the draft version, not changing to support the new
> > v6 keys.
> >
> > > > Also, I see support for v2 + v3 keys, and this doesn't seem like a good
> > > > idea. There are cryptographic issues with fingerprints etc there and I
> > > > can't think of a good reason you'd want the kernel to support them. The
> > > > same could probably be said of DSA key support too.
> > >
> > > Uhm, if I remember correctly I encountered some old PGP keys used to
> > > verify RPM packages (need to check). DSA keys are not supported, since
> > > the algorithm is not in the kernel.
> >
> > I would question the benefit gained from using obsolete key/signature
> > types for verification (I was involved in the process of Debian dropping
> > them back in *2010* which was later than it should have been). Dropping
> > the code for that path means a smaller attack surface/maintenance
> > overhead for something that isn't giving a benefit.
>
> Removed support for v3 PGP signatures... but that broke openSUSE
> Tumbleweed.
>
> [ 295.837602] PGPL: Signature packet with unhandled version 3
To add more context, this patch set adds the ability to the kernel to
verify the PGP signature of RPM packages against Linux distributions
PGP keys.
The purpose of this is to verify the authenticity of such RPM packages,
and to extract from them file digests, which are in turn used as
reference values for integrity check (appraisal) with IMA.
Roberto
next prev parent reply other threads:[~2024-09-10 14:51 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-18 16:57 [PATCH v2 00/14] KEYS: Add support for PGP keys and signatures Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 01/14] mpi: Introduce mpi_key_length() Roberto Sassu
2024-08-19 17:55 ` Jarkko Sakkinen
2024-08-18 16:57 ` [PATCH v2 02/14] rsa: add parser of raw format Roberto Sassu
2024-08-19 17:56 ` Jarkko Sakkinen
2024-08-18 16:57 ` [PATCH v2 03/14] PGPLIB: PGP definitions (RFC 4880) Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 04/14] PGPLIB: Basic packet parser Roberto Sassu
2024-08-19 14:34 ` Jeff Johnson
2024-08-19 15:06 ` Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 05/14] PGPLIB: Signature parser Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 06/14] KEYS: PGP data parser Roberto Sassu
2024-08-19 14:36 ` Jeff Johnson
2024-08-19 14:38 ` Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 07/14] KEYS: Provide PGP key description autogeneration Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 08/14] KEYS: PGP-based public key signature verification Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 09/14] KEYS: Retry asym key search with partial ID in restrict_link_by_signature() Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 10/14] KEYS: Calculate key digest and get signature of the key Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 11/14] verification: introduce verify_pgp_signature() Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 12/14] PGP: Provide a key type for testing PGP signatures Roberto Sassu
2024-08-19 14:37 ` Jeff Johnson
2024-08-18 16:57 ` [PATCH v2 13/14] KEYS: Provide a function to load keys from a PGP keyring blob Roberto Sassu
2024-08-18 16:57 ` [PATCH v2 14/14] KEYS: Introduce load_pgp_public_keyring() Roberto Sassu
2024-08-19 15:08 ` [PATCH v2 00/14] KEYS: Add support for PGP keys and signatures Jonathan McDowell
2024-08-19 15:15 ` Roberto Sassu
2024-08-20 14:12 ` Jonathan McDowell
2024-08-20 14:14 ` Roberto Sassu
2024-09-10 14:36 ` Roberto Sassu
2024-09-10 14:51 ` Roberto Sassu [this message]
2024-09-10 15:16 ` Jonathan McDowell
2024-09-11 9:55 ` Roberto Sassu
2024-08-19 16:30 ` Roberto Sassu
2024-08-19 17:53 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6c7e34b65d73e9fa2ba0fd39b357b9eb42ee0449.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=adrian@suse.de \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=noodles@earth.li \
--cc=ro@suse.de \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).