Re: Module signing and post-quantum crypto public key algorithms

Next message: Ian Rogers: "Re: [PATCH v3 03/18] perf jevents: Add set of common metrics based on default ones"
Previous message: Conor Dooley: "Re: [PATCH RFC 00/13] drm: starfive: jh7110: Enable display subsystem"
In reply to: Simo Sorce: "Re: Module signing and post-quantum crypto public key algorithms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells

Date: Tue Nov 11 2025 - 13:38:45 EST

Simo Sorce <simo@xxxxxxxxxx> wrote:

> If a defect in a signing algorithm is found you can simply distribute a
> new kernel with modules resigned with a different algorithm.

Probably more "have to" than "can". The cert providing the composite key for
both would have to be invalidated to stop it from being used - and invalidated
by having it added to the UEFI dbx table.

David