[Ksummit-discuss] [TECH TOPIC] Firmware signing
Peter Jones
pjones at redhat.com
Tue Jul 28 19:52:08 UTC 2015
On Tue, Jul 28, 2015 at 08:14:09PM +0100, David Howells wrote:
> Peter Jones <pjones at redhat.com> wrote:
>
> > And even past there - if the firmware update is compliant with NIST
> > SP800-147 (which they really all /should/ be, but we know how that
> > goes), then the actual blob that gets passed to the firmware still must
> > be signed with a key trusted by the firmware.
>
> This is just BIOS updating, right, and not, say, for supplying firmware to my
> DVB cards?
>
> Though I suppose the technique might be generally applicable.
It singles out system firmware quite a bit, yes, though it isn't clear
to me that you /couldn't/ read it against updates for a PCI Option ROM
or even the binary we upload to a running card for wifi if you chose to
implement your hardware that way.
Additionally, if you're on a modernish UEFI system:
a) the "Capsule Update" mechanism we're using for firmware updates can
be used on option roms, and it can validate them first and return
EFI_SECURITY_VIOLATION to us if they don't validate, and
b) UEFI Option ROMs are just PE binaries, and if Secure Boot is enabled,
if they don't verify correctly against the SB databases, they don't get
loaded and run.
So there are multiple layers of protection there.
--
Peter
More information about the Ksummit-discuss
mailing list