[Ksummit-discuss] [TECH TOPIC] Firmware signing
David Woodhouse
dwmw2 at infradead.org
Wed Aug 12 18:45:39 UTC 2015
On Wed, 2015-08-12 at 19:22 +0100, David Howells wrote:
> By "a literal key provided by the driver" I presume you mean that the parts of
> the key (perhaps an X.509 cert) are actually compiled into the driver. Yes we
> could do this quite easily - key_create_or_update() will turn a binary key
> blob into a struct key * that can then be used. Do we want ~1.5K or more of
> undiscardable data per key adding to each module that wants to load firmware,
> particularly if it needs to carry several keys just in case one gets revoked?
No. Just use a *hash* of the acceptable signing cert(s)¹. Note that the
SKID is *usually* a hash of the public key, but isn't guaranteed to be
so, so using the SKID to specify the acceptable signing cert isn't
secure.
The actual signing cert doesn't need to be present in full because we
can require it to be present in the PKCS#7 signature.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
¹ Or indeed a hash of the only acceptable firmware image(s), if that's appropriate for some use cases.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/ksummit-discuss/attachments/20150812/2419f7a0/attachment.bin>
More information about the Ksummit-discuss
mailing list