On Fri, 2016-08-12 at 05:54 -0700, Andy Lutomirski wrote:
> 
> > Whatever solution we decide, some firmware is already signed. Some of
> > the Intel firmware we submit to linux-firmware is signed and a firmware
> > with bad or unsigned keys will fail to load on these devices. Now how
> > much we are willing to trust that is entirely different question.
> >
> > Any solution needs to comprehend that additional signing might be
> > present.
>
> I see device-verified signatures as orthogonal: the kernel loads a
> blob, optionally verifies the blob, and that blob just happens to
> contain a signature.

To a certain extent yes. If you *know* the device will check the
signature then you might not bother. Then again, this stuff is often
fairly opaque and the device *might* not check for itself in some
circumstances (prototype hardware, debug modes, etc.) so if there *is*
a signature and *if* it isn't just part of an opaque blob, then it
might make some sense to validate it for ourselves too.

-- 
dwmw2