Doesn't this kind of policy belong in the kernel?

It might, but the kernel doesn't get any information about the RSA key -- this is all done in userspace. The kernel just gets the plaintext symmetric key data and the encrypted plaintext symmetric key data as blobs. All public key crypto for EKCD is done in userspace.

A couple of lines below we set kda_encryptedkeysize = RSA_size(pubkey), and that is indeed passed to the kernel.

Sure, that's true. However, that ABI is just the size of the encrypted symmetric key data blob in bytes — there's no reason the asymmetric algorithm used in userspace has to be RSA or that it must match the key size for asymmetric algorithms other than RSA. (In libsodium terms, we're doing a crypto_box_seal operation.)

Other choices (like elliptic curve publickey encryption schemes) might be a good idea going forward. And we can't validate, e.g., sane 'e' (not trivially small) or lack of 'd' (not a public key!) from the kernel, as we lose all of the key data.

I think if anywhere this sort of policy belongs in OpenSSL, actually. But I am unaware of any such routine for enforcing non-weak RSA keys in OpenSSL. Maybe Ben Kaduk (OpenSSL committer) has a better idea. I've tagged him as a reviewer.

"must match the key size" -> "must match the asymmetric key size"

I didn't remember the order of operations when I added them :-). Will remove.

I haven't thought through it very well yet. :-) Here's a rough sketch:

I guess the decryptor can figure out the key encryption algorithm used by examining the key passed by the user.

Perhaps. It's worth remembering that the current scheme assumes that the user on the savecore/netdumpd end knows exactly which public key was used to encrypt a dump — there's nothing to identify the specific public key used in the dump header nor encrypted key block today. So in that sense, having to know exactly which algorithm and key was used to encrypt a dump is just status quo.

That is, there would be no need to encode that information in the kernel dump header.

It might be worth adding a public key identifier (and asymmetric cipher mode enum while we're at it) independent of any change in the specific asymmetric algorithm.

As far as actual mechanics of the asym. cipher mode, we could borrow a few bits from 'kdc_encryption' (uint8_t). Or there are plenty of bits available in kdk_encryptedkeysize — it's a uint32_t representing numbers on the order of 4096 — to borrow some.

As far as identifying the pubkey used, we could put a truncated digest of the public key (or whatever the literature suggests is a good idea) in the unused back half of the IV array, which is excessively sized for most (?all) symmetric ciphers, as a way to help administrators identify the public key used for the dump.

I intend to leave this for future work, if that's alright.

Yeah, that said we should probably steal a few bits we know are zero in stable/12 to start a version field. So that current can dump leftover cores from stable/12.

The OpenSSL "security level" functionality (commonly seen in cipher strings as, e.g., "HIGH@SECLEVEL=1") is the natural way to get a high-level strength check, but it's only implemented at the X.509 verification level. Since we're using raw RSA objects here, the best option I can offer is to check against RSA_security_bits(pubkey) with a desired bit-strength.