Re: IMA and PQC

Next message: Peter Zijlstra: "Re: [PATCH] MAINTAINERS: add Rust files to STATIC BRANCH/CALL and TRACING"
Previous message: Peter Zijlstra: "Re: [PATCH v5 15/36] srcu: Support Clang's context analysis"
In reply to: Mimi Zohar: "Re: IMA and PQC"
Next in thread: Mimi Zohar: "Re: IMA and PQC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells

Date: Mon Jan 26 2026 - 16:37:17 EST

Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:

> > Further, we need to think how we're going to do PQC support in IMA -
> > particularly as the signatures are so much bigger and verification slower.
>
> Perhaps, but these same reasons would apply to kernel modules, firmware, and
> the kernel image. Why would IMA be special?!

Scale. I wouldn't expect more than a couple of hundred or so kernel module
and firmware signatures - and, for the most part, that would be done once
during boot. On the other hand, I'm assuming that a lot more IMA signatures
might need checking and maybe more frequently.

David