On Mon, 2026-01-26 at 21:36 +0000, David Howells wrote: > Mimi Zohar <[email protected]> wrote: > > > > Further, we need to think how we're going to do PQC support in IMA - > > > particularly as the signatures are so much bigger and verification slower. > > > > Perhaps, but these same reasons would apply to kernel modules, firmware, and > > the kernel image. Why would IMA be special?! > > Scale. I wouldn't expect more than a couple of hundred or so kernel module > and firmware signatures - and, for the most part, that would be done once > during boot. On the other hand, I'm assuming that a lot more IMA signatures > might need checking and maybe more frequently.
Similarly, most file signatures would be verified on boot and the results cached to limit the performance impact. The number of file signatures needing to be verified is based on policy. Mimi
