Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-131254

Request PQC signing keys for RHEL releases

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • Request PQC signing keys for RHEL releases
    • None
    • None
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Description

      We will need ML-DSA key/cert pairs to be issued for signing GRUB, kernel, fwupd, UKI. Currently we have a CA and then four leaf certs associated with the CA, and we would need the same, only using ML-DSA rather than RSA. The CA cert will be built into the shim, creating the root of trust in the OS, and the other components will need to be signed, each by their own key.

      What SSTs and Layered Product teams should review this?

      Signing Server needs to create the key / cert pairs and update ACLs. They will also need to make the public certs accessible to boot loaders and redhat-release (for packaging).

              rhn-support-mlewando Marta Lewandowska
              oksenzov@redhat.com Olga Ksenzova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: