I would like to inquire about the purpose of the PKEY_ID_PGP and
PKEY_ID_X509 identifiers defined in include/linux/module_signature.h.
The enum pkey_id_type is defined as follows:
enum pkey_id_type {
PKEY_ID_PGP, /* OpenPGP generated key ID */
PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
};
While examining the module signing and verification process, it appears
that the current implementation strictly assumes the use of PKCS#7, making
PKEY_ID_PGP and PKEY_ID_X509 seem unused in this context.
I observed the following:
1. In scripts/sign-file.c, the module_signature structure is explicitly
initialized assuming PKCS#7:
/* Key identifier type [PKEY_ID_PKCS7] */
struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
2. In kernel/module_signature.c, the verification function mod_check_sig()
strictly enforces this type and rejects others:
int mod_check_sig(const struct module_signature *ms, size_t file_len,
const char *name)
{
if (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))
return -EBADMSG;
if (ms->id_type != PKEY_ID_PKCS7) {
pr_err("%s: not signed with expected PKCS#7 message\n",
name);
return -ENOPKG;
}
// ...
}
3. Furthermore, I noticed that certs/extract-cert.c only defines
PKEY_ID_PKCS7 locally, seemingly without utilizing the definitions from
the header for the other types:
#define PKEY_ID_PKCS7 2
Given that the module signature infrastructure seems hardcoded to use
PKCS#7, could anyone clarify if PKEY_ID_PGP and PKEY_ID_X509 are used
elsewhere in the kernel? Are they perhaps placeholders for future
implementations or remnants of past ones?
If they are indeed unused and there are no plans to support them, would
a patch to clean up these unused enum values be welcome? Or is there
another reason for keeping them?
Thank you for your time and clarification.
Best regards,
Yunseong Kim
