| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87883fa611e27f8aa018e46e344846d692700402.camel@linux.ibm.com>
Date: Mon, 26 Jan 2026 17:54:07 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: David Howells <dhowells@...hat.com>
Cc: Simo Sorce <simo@...hat.com>, Roberto Sassu <roberto.sassu@...wei.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
Eric Snowberg
<eric.snowberg@...cle.com>,
Eric Biggers <ebiggers@...nel.org>, linux-integrity@...r.kernel.org,
linux-crypto@...r.kernel.org, keyrings@...r.kernel.org,
linux-modules@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: IMA and PQC
On Mon, 2026-01-26 at 21:36 +0000, David Howells wrote:
> Mimi Zohar <zohar@...ux.ibm.com> wrote:
>
> > > Further, we need to think how we're going to do PQC support in IMA -
> > > particularly as the signatures are so much bigger and verification slower.
> >
> > Perhaps, but these same reasons would apply to kernel modules, firmware, and
> > the kernel image. Why would IMA be special?!
>
> Scale. I wouldn't expect more than a couple of hundred or so kernel module
> and firmware signatures - and, for the most part, that would be done once
> during boot. On the other hand, I'm assuming that a lot more IMA signatures
> might need checking and maybe more frequently.
Similarly, most file signatures would be verified on boot and the results cached
to limit the performance impact. The number of file signatures needing to be
verified is based on policy.
Mimi
Powered by blists - more mailing lists