Module signing and post-quantum crypto public key algorithms
Simo Sorce
simo at redhat.com
Tue Nov 11 16:14:59 UTC 2025
On Sun, 2025-11-09 at 19:30 +0000, Elliott, Robert (Servers) wrote:
> The composite motivation is to provide some protection if someone
> discovers a basic flaw in the PQC algorithm. If quantum computers
> haven't arrived yet to break the traditional algorithm, the
> composite still proves validity.
Given you quoted me wrt composite signatures, I'd like to make clear I
do *not* necessarily favor it.
Unlike regular software or firmware, kernel modules are generally tied
to a specific version of the kernel, therefore there is no real need
for long term resistance (unless you plan to never upgrade a kernel).
If a defect in a signing algorithm is found you can simply distribute a
new kernel with modules resigned with a different algorithm.
The problem of using composite algorithms are many:
- You need composite keys (or at least two keys, depending on the
implementation).
- You will pay a higher price in terms of CPU/time for verification for
each signature.
- You will pay a higher price in terms of disk/ram space to store
multiple signatures.
It is generally not worth paying this price when the remediation is
easy.
--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc
More information about the Linux-security-module-archive
mailing list