Eric Biggers <[email protected]> wrote: > On Mon, Feb 02, 2026 at 09:21:19AM +0000, David Howells wrote: > > Eric Biggers <[email protected]> wrote: > > > > > With that being the case, why is there still effort being put into > > > adding more features to module signing? I would think efforts should be > > > focused on hash-based module authentication, i.e. this patchset. > > > > Because it's not just signing of modules > > Module signing is indeed about the signing of modules.
The signature verification stuff in the kernel isn't just used for modules. kexec, for instance; wifi restriction database for another. > > and it's not just modules built with the kernel. > > Could you give more details on this use case and why it needs > signatures, as opposed to e.g. loading an additional Merkle tree root > into the kernel to add to the set of allowed modules? Because we don't want to, for example, include all the nvidia drivers in our kernel SRPM. David
