Mimi Zohar <[email protected]> wrote: > > Further, we need to think how we're going to do PQC support in IMA - > > particularly as the signatures are so much bigger and verification slower. > > Perhaps, but these same reasons would apply to kernel modules, firmware, and > the kernel image. Why would IMA be special?!
Scale. I wouldn't expect more than a couple of hundred or so kernel module and firmware signatures - and, for the most part, that would be done once during boot. On the other hand, I'm assuming that a lot more IMA signatures might need checking and maybe more frequently. David
