On Tue, 2015-07-28 at 14:36 +0100, David Howells wrote:
> 
>  (1) Should signatures produced by the manager of the linux-firmware package
>      be allowed only?
> 
>  (2) If the linux-firmware packages are signed by a single key (or just a few
>      keys) it may be manageable to compile all these keys into the kernel.

I really think we want to allow firmware to be signed by the vendor who
created it — and we want the linux-firmware.git repository to carry the
original vendors' signatures along with the firmware blobs.

Having a signature generated by the linux-firmware packager which just
certifies that this *is* the blob that was in the linux-firmware.git
repository is only a partial solution.

I think we probably want to extend the request_firmware() call to
optionally take an additional certificate identifier (or hash), and
require the firmware to be signed with *that* certificate.

Rather than building the full cert into the kernel, perhaps we'd only
put the *hash* into the kernel, and require the PKCS#7 signature to
*include* the signing cert.

So, for example, the iwlwifi driver could provide a hash of Intel's
firmware-signing cert. And the firmware would come with a detached
PKCS#7 signature *containing* that signing cert, for validation to
succeed.

In the case where the kernel has been built to require signed firmware
and a driver *doesn't* specify the acceptable signing cert, *then* a
system-wide trusted certificate should be accepted.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@intel.com                              Intel Corporation