Re: [RFC 6/8] KEYS: PGP data parser
From: Roberto Sassu <hidden>
Date: 2024-02-16 16:53:35
Also in:
lkml
On Fri, 2024-02-16 at 16:44 +0000, Matthew Wilcox wrote:
On Fri, Feb 16, 2024 at 04:24:33PM +0100, Petr Tesarik wrote:quoted
From: David Howells <dhowells@redhat.com> Implement a PGP data parser for the crypto key type to use when instantiating a key. This parser attempts to parse the instantiation data as a PGP packet sequence (RFC 4880) and if it parses okay, attempts to extract a public-key algorithm key or subkey from it.I don't understand why we want to do this in-kernel instead of in userspace and then pass in the actual key.
Sigh, this is a long discussion. PGP keys would be used as a system-wide trust anchor to verify RPM package headers, which already contain file digests that can be used as reference values for kernel-enforced integrity appraisal. With the assumptions that: - In a locked-down system the kernel has more privileges than root - The kernel cannot offload this task to an user space process due to insufficient isolation the only available option is to do it in the kernel (that is what I got as suggestion). Roberto