Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown

From: Mimi Zohar
Date: Tue Nov 14 2017 - 07:22:02 EST

Next message: Xu YiPing: "[PATCH] arm64: perf: remove duplicated and unsupported events for Cortex-A73"
Previous message: Eugeniy Paltsev: "[PATCH RESEND] CLK: ARC: Set initial pll output frequency specified in device tree"
In reply to: Alan Cox: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Next in thread: Greg Kroah-Hartman: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2017-11-13 at 14:09 -0800, Linus Torvalds wrote:
> On Mon, Nov 13, 2017 at 1:44 PM, David Howells <dhowells@xxxxxxxxxx> wrote:
> >
> > Whilst that may be true, we either have to check signatures on every bit of
> > firmware that the appropriate driver doesn't say is meant to be signed or not
> > bother.
>
> I vote for "not bother".
>
> Seriously, if you have firmware in /lib/firmware, and you don't trust
> it, what the hell are you doing?

I might "trust" the files in /lib/firmware, but I also want to make
sure that they haven't changed. ÂFile signatures provide file
provenance and integrity guarantees.

Mimi

Next message: Xu YiPing: "[PATCH] arm64: perf: remove duplicated and unsupported events for Cortex-A73"
Previous message: Eugeniy Paltsev: "[PATCH RESEND] CLK: ARC: Set initial pll output frequency specified in device tree"
In reply to: Alan Cox: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Next in thread: Greg Kroah-Hartman: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]