[Ksummit-discuss] [TECH TOPIC] Firmware signing
Andy Lutomirski
luto at amacapital.net
Tue Aug 11 21:56:35 UTC 2015
On Tue, Aug 11, 2015 at 1:24 PM, David Howells <dhowells at redhat.com> wrote:
> Hi James,
>
> The top patch here:
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7-2
>
> allows demand loading of keys based on their SKID into a special keyring from
> which they get erased after an arbitrary 3 minutes of existence. This key can
> then be used to verify a signature instead of using the primary system keyring
> used for module signature checking.
>
> Building on this, a driver could have a SKID compiled into it which could then
> be used to load a key for request_firmware() to use in verifying the blobs
> that that driver requires.
>
Who signs the vendor key?
Why are we bothering loading device vendor keys into a keyring in the
first place? Why not just have an API to request firmware either
signed by a literal key provided by the driver *or* whatever keys the
system trusts in general for firmware signing?
--Andy
More information about the Ksummit-discuss
mailing list