lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6965225097f82e5db30928abc5aa316fa25b8fa0.camel@HansenPartnership.com>
Date: Thu, 29 May 2025 15:36:14 -0400
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Lukas Wunner <lukas@...ner.de>, Blaise Boscaccy
	 <bboscaccy@...ux.microsoft.com>
Cc: Paul Moore <paul@...l-moore.com>, jarkko@...nel.org,
 zeffron@...tgames.com,  xiyou.wangcong@...il.com, kysrinivasan@...il.com,
 code@...icks.com,  linux-security-module@...r.kernel.org,
 roberto.sassu@...wei.com, Alexei Starovoitov <ast@...nel.org>, Daniel
 Borkmann <daniel@...earbox.net>, John Fastabend <john.fastabend@...il.com>,
 Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau
 <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>, Song Liu
 <song@...nel.org>,  Yonghong Song <yonghong.song@...ux.dev>, KP Singh
 <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...ichev.me>,  Hao Luo
 <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>, David Howells
 <dhowells@...hat.com>,  Ignat Korchagin <ignat@...udflare.com>, Quentin
 Monnet <qmo@...nel.org>, Jason Xing <kerneljasonxing@...il.com>,  Willem de
 Bruijn <willemb@...gle.com>, Anton Protopopov <aspsk@...valent.com>, Jordan
 Rome <linux@...danrome.com>,  Martin Kelly <martin.kelly@...wdstrike.com>,
 Alan Maguire <alan.maguire@...cle.com>, Matteo Croce <teknoraver@...a.com>,
 bpf@...r.kernel.org, linux-kernel@...r.kernel.org, 
 keyrings@...r.kernel.org, linux-crypto@...r.kernel.org
Subject: Re: [PATCH 1/3] bpf: Add bpf_check_signature

On Thu, 2025-05-29 at 21:31 +0200, Lukas Wunner wrote:
> On Thu, May 29, 2025 at 08:32:43AM -0700, Blaise Boscaccy wrote:
> > Lukas Wunner <lukas@...ner.de> writes:
> > > Constraining oneself to sha256 doesn't seem future-proof.
> > 
> > Definitely not a bad idea, curious, how would you envision that
> > looking from an UAPI perspective?
> 
> If possible, extend the anonymous struct used by BPF_PROG_LOAD
> command with an additional parameter to select the hash algorithm.
> 
> Alternatively, create a new command to set the hash algorithm for
> subsequent BPF_PROG_LOAD commands.

Both of those look like less than good ideas.  There's not much point
having a hash that's different from the hash used in the signature
(which is currently sha256), so we could simply extract the hash from
the PKCS7 bundle and use that.  We can also get bonus points this way
for not modifying any internal APIs ...

Regards,

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ