[Ksummit-discuss] [TECH TOPIC] Firmware signing
dwmw2 at infradead.org
Tue Jul 28 14:23:38 UTC 2015
On Tue, 2015-07-28 at 14:36 +0100, David Howells wrote:
> (1) Should signatures produced by the manager of the linux-firmware package
> be allowed only?
> (2) If the linux-firmware packages are signed by a single key (or just a few
> keys) it may be manageable to compile all these keys into the kernel.
I really think we want to allow firmware to be signed by the vendor who
created it — and we want the linux-firmware.git repository to carry the
original vendors' signatures along with the firmware blobs.
Having a signature generated by the linux-firmware packager which just
certifies that this *is* the blob that was in the linux-firmware.git
repository is only a partial solution.
I think we probably want to extend the request_firmware() call to
optionally take an additional certificate identifier (or hash), and
require the firmware to be signed with *that* certificate.
Rather than building the full cert into the kernel, perhaps we'd only
put the *hash* into the kernel, and require the PKCS#7 signature to
*include* the signing cert.
So, for example, the iwlwifi driver could provide a hash of Intel's
firmware-signing cert. And the firmware would come with a detached
PKCS#7 signature *containing* that signing cert, for validation to
In the case where the kernel has been built to require signed firmware
and a driver *doesn't* specify the acceptable signing cert, *then* a
system-wide trusted certificate should be accepted.
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5691 bytes
Desc: not available
More information about the Ksummit-discuss