[Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: Last minute nominations: mcgrof and toshi

Jani Nikula jani.nikula at intel.com
Wed Aug 3 10:28:43 UTC 2016


On Wed, 03 Aug 2016, Linus Walleij <linus.walleij at linaro.org> wrote:
> On Tue, Aug 2, 2016 at 4:13 PM, James Bottomley
> <James.Bottomley at hansenpartnership.com> wrote:
>> On Tue, 2016-08-02 at 14:54 +0200, Linus Walleij wrote:
>>> I would certainly trust a firmware signed by say Laurent Pinchart,
>>> but not sure about one signed by E.Corp.
>>
>> Really?  Assuming E.Corp is the one actually producing the firmware,
>> why would you say they're less qualified than Laurent to certify their
>> own firmware.  Half the SCSI chips I see have proprietary firmware.
>>  Even if I were willing to sign it, would you really trust my signature
>> when I can't even decompile it?
>
> I would trust an Intel WiFi driver if it was signed by Dirk Hohndel
> or H. Peter Anvin whose GPG keys I have in my own web of trust
> and work for Intel. And this is simply because I trust these guys
> more than the corporate entity they work for.

[I admittedly didn't read the whole thread, so take this with a grain of
salt, but this stood out.]

I think you're conflating the trust you have in someone or something
actually being who they claim they are with the trust you have in
them. The GPG keys are used for the former, and it's *relatively* easy
to achieve by key signing events and web of trust. The latter is much
harder, and involves all the things you usually have to do to gain trust
in people.

I would imagine we'd want to ensure the firmware blobs actually come
from whoever writes them. I would imagine this would be the company. I
don't think the signatures per se should imply a guarantee of quality,
just that the firmware originates from where it's supposed to originate.

If you insist the individuals you trust sign the blobs, I think you're
putting them under pressure to scrutinize the contents, while they might
not be in a position to do so, like James says.

Side note, Dirk no longer works for Intel, so while you might trust him
personally, I don't think you should trust him to sign Intel binaries...

BR,
Jani.


-- 
Jani Nikula, Intel Open Source Technology Center


More information about the Ksummit-discuss mailing list