Re: [RFD] linux-firmware key arrangement for firmware signing
[Posted May 26, 2015 by corbet]
| From: |
| "Woodhouse, David" <david.woodhouse-AT-intel.com> |
| To: |
| "gregkh-AT-linuxfoundation.org" <gregkh-AT-linuxfoundation.org> |
| Subject: |
| Re: [RFD] linux-firmware key arrangement for firmware signing |
| Date: |
| Thu, 21 May 2015 19:32:54 +0000 |
| Message-ID: |
| <1432236773.8004.13.camel@intel.com> |
| Cc: |
| "linux-kernel-AT-vger.kernel.org" <linux-kernel-AT-vger.kernel.org>, "seth.forshee-AT-canonical.com" <seth.forshee-AT-canonical.com>, "zohar-AT-linux.vnet.ibm.com" <zohar-AT-linux.vnet.ibm.com>, "mricon-AT-kernel.org" <mricon-AT-kernel.org>, "rusty-AT-rustcorp.com.au" <rusty-AT-rustcorp.com.au>, "dhowells-AT-redhat.com" <dhowells-AT-redhat.com>, "linux-security-module-AT-vger.kernel.org" <linux-security-module-AT-vger.kernel.org>, "jlee-AT-suse.de" <jlee-AT-suse.de>, "kyle-AT-kernel.org" <kyle-AT-kernel.org>, "gnomes-AT-lxorguk.ukuu.org.uk" <gnomes-AT-lxorguk.ukuu.org.uk>, "james.l.morris-AT-oracle.com" <james.l.morris-AT-oracle.com>, "mcgrof-AT-suse.com" <mcgrof-AT-suse.com>, "serge-AT-hallyn.com" <serge-AT-hallyn.com>, "linux-wireless-AT-vger.kernel.org" <linux-wireless-AT-vger.kernel.org> |
| Archive‑link: | |
Article |
On Thu, 2015-05-21 at 10:02 -0700, gregkh@linuxfoundation.org wrote:
>
> Again, why have a detached signature and not just part of the firmware
> blob? The device needs to be caring about this, not the kernel.
>
> Do other operating systems have this type of "feature"?
Yes. Windows effectively does by virtue of the fact that it ships he
firmware *with* the driver and even if it's in a separate file (which
it often isn't), the signed manifest covers it all together.
Look at it this way: If you don't have an IOMMU, then signing modules
is *utterly* pointless unless you also sign firmware. A rogue device
can do *anything*.
We really do want firmware signing for the *OS*, not just for
regulatory issues and other vendor-interest stuff which was Luis's
original focus.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@intel.com Intel Corporation
