4 Jun
2022
4 Jun
'22
9:32 a.m.
On Fri, Jun 3, 2022 at 5:44 PM Roberto Sassu roberto.sassu@huawei.com wrote:
Your bpf_map_verify_value_sig hard codes the type of signature (bpf_map_verify_value_sig as verify_pkcs7_signature) its implementation. This is not extensible.
It is hardcoded now, but it wouldn't if there are more verification functions. For example, if 'id_type' of module_signature is set to PKEY_ID_PGP, bpf_map_verify_value_sig() would call verify_pgp_signature() (assuming that support for PGP keys and signatures is added to the kernel).
I agree with KP. All hard coded things are hurting extensibility. we just need a helper that calls verify_pkcs7_signature where prog will specify len, keyring, etc.