[Ksummit-discuss] [TECH TOPIC] Firmware signing
Andy Lutomirski
luto at amacapital.net
Tue Jul 28 17:03:57 UTC 2015
On Tue, Jul 28, 2015 at 9:44 AM, David Howells <dhowells at redhat.com> wrote:
> Andy Lutomirski <luto at amacapital.net> wrote:
>
>> I'd really like to replace "the system trusted keyring" with
>> purpose-specific lists of keys. There are keys we trust to sign
>> modules, there are keys we trust to sign kexec things, there will be
>> keys to trust to sign firmware for any device, etc.
>
> I have some patches to restrict what a key is permitted to do - see the top
> few patches here:
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=fwsign-pkcs7
>
> This involves marking the X.509 certs with the intended use case (or relying
> on the existing CA stuff for key-signing keys).
This will require that we take any firmware vendor's key and rewrap it
somehow into a new X.509 blob with a key usage constraint.
Can't we just track this stuff in the kernel without adding yet
another dependency on X.509?
--Andy
More information about the Ksummit-discuss
mailing list