ML-DSA-87 signatures for the shim

[Peter Jones]

On Wed, Mar 19, 2025 at 07:18:35PM +0000, Jeff Hewett (jhewett) wrote:
> Now that NIST has settled on postquantum algorithms, is anyone aware
> of any planning around ML-DSA-87 signatures for the boot shim?

There's been some discussion but we're still quite far off, I think.
Among the issues:

- there's no way to tell when we should honor /only/ PQC signatures
  (i.e. "is this machine in a PQC only mode/environment/etc")
- shim needs to use openssl 3.5 (which hasn't been released yet)
  for algorithm support in order to verify signatures
  - switching isn't particularly trivial, either
- There hasn't been broad adoption of multiple signature support in UEFI
  firmwares, and we need that to migrate
- Authenticode doesn't officially support ML-DSA-87 yet and there are
  some open questions on how to do it:
  - see https://github.com/tianocore/edk2/issues/10279#issuecomment-2649344114
- All of this needs to be added to various other tooling (pesign, kexec,
  etc) as well, not just shim.

> Jeff H.
> Cisco Confidential

Seems unlikely ;)

-- 
        Peter