[Ksummit-discuss] [TECH TOPIC] Firmware signing

David Woodhouse dwmw2 at infradead.org
Tue Jul 28 14:23:38 UTC 2015

On Tue, 2015-07-28 at 14:36 +0100, David Howells wrote:
>  (1) Should signatures produced by the manager of the linux-firmware package
>      be allowed only?
>  (2) If the linux-firmware packages are signed by a single key (or just a few
>      keys) it may be manageable to compile all these keys into the kernel.

I really think we want to allow firmware to be signed by the vendor who
created it — and we want the linux-firmware.git repository to carry the
original vendors' signatures along with the firmware blobs.

Having a signature generated by the linux-firmware packager which just
certifies that this *is* the blob that was in the linux-firmware.git
repository is only a partial solution.

I think we probably want to extend the request_firmware() call to
optionally take an additional certificate identifier (or hash), and
require the firmware to be signed with *that* certificate.

Rather than building the full cert into the kernel, perhaps we'd only
put the *hash* into the kernel, and require the PKCS#7 signature to
*include* the signing cert.

So, for example, the iwlwifi driver could provide a hash of Intel's
firmware-signing cert. And the firmware would come with a detached
PKCS#7 signature *containing* that signing cert, for validation to

In the case where the kernel has been built to require signed firmware
and a driver *doesn't* specify the acceptable signing cert, *then* a
system-wide trusted certificate should be accepted.

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/ksummit-discuss/attachments/20150728/ea486d84/attachment-0001.bin>

More information about the Ksummit-discuss mailing list