On Wed, 2015-08-12 at 19:22 +0100, David Howells wrote:
> By "a literal key provided by the driver" I presume you mean that the parts of
> the key (perhaps an X.509 cert) are actually compiled into the driver.  Yes we
> could do this quite easily - key_create_or_update() will turn a binary key
> blob into a struct key * that can then be used.  Do we want ~1.5K or more of
> undiscardable data per key adding to each module that wants to load firmware,
> particularly if it needs to carry several keys just in case one gets revoked?

No. Just use a *hash* of the acceptable signing cert(s)¹. Note that the
SKID is *usually* a hash of the public key, but isn't guaranteed to be
so, so using the SKID to specify the acceptable signing cert isn't
secure.

The actual signing cert doesn't need to be present in full because we
can require it to be present in the PKCS#7 signature.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@intel.com                              Intel Corporation

¹ Or indeed a hash of the only acceptable firmware image(s), if that's  appropriate for some use cases.