From: "Luis R. Rodriguez" <mcgrof@do-not-panic.com>
To: David Woodhouse <dwmw2@infradead.org>
Cc: ksummit-discuss@lists.linuxfoundation.org, jkkm@jkkm.org
Subject: Re: [Ksummit-discuss] [TECH TOPIC] Firmware signing
Date: Tue, 28 Jul 2015 09:55:41 -0700 [thread overview]
Message-ID: <CAB=NE6Vd+SbBA4TerS9bpqJuumaP1LY9rhpL6Nc57Wzhj4ijUw@mail.gmail.com> (raw)
In-Reply-To: <1438093418.26913.174.camel@infradead.org>
On Tue, Jul 28, 2015 at 7:23 AM, David Woodhouse <dwmw2@infradead.org> wrote:
>> (2) If the linux-firmware packages are signed by a single key (or just a few
>> keys) it may be manageable to compile all these keys into the kernel.
>
> I really think we want to allow firmware to be signed by the vendor who
> created it — and we want the linux-firmware.git repository to carry the
> original vendors' signatures along with the firmware blobs.
>
> Having a signature generated by the linux-firmware packager which just
> certifies that this *is* the blob that was in the linux-firmware.git
> repository is only a partial solution.
As we have it now the fist iteration of patches would just allow to
trust a set a key signed by a trusted CA for the purpose firmware
signing, and each firmware signature must be signed with a key
intended for the purpose of firmware singing, additionally the
signature would have the file name for the intended signature.
Support for embedding a custom set of key attribute requirements is
part of my second phase of firmware signing patches, to help replace
CRDA with in-kernel functionality as that is one existing use case
where what you say is what we needed. The second phase of patches
would also allow drivers to make use of this though -- so what you say
would be supported, but it would come in with the second set of
patches. The reason it'd come in separately is the firmware API is
already abused enough, we keep adding new routines with more arguments
and I think that needs to end. The second set of patches introduce a
new extensible API which lets users express the requirements for the
"system data file" and then the core vets for its ability to meet the
criteria passed and if it can find it, it hands it back.
There's one caveat here, at least the way me and David envisioned
system data extensions is that you'd have to register an OID into the
kernel's registry and your key would have to be purposed for that OID.
David mentions we don't have a limit to the OID registry but I don't
think we were envisioning everyone having a custom set of
requirements, although I cannot foresee any issues with this, other
than the kernel size overhead. We did speak about dynamic extensions
to this registry, so maybe that's the way to make it less of pain to
the kernel's size. Perhaps the later should be something some vendors
can opt-in to. That would provide for the flexibility to only those
using those APIs (ie Intel), meanwhile if a distro disables firmware
singing its all ignored, the next step would be if they enable
firmware singing then the default trusted key (Kyle's) would be
trusted. The system data API would enable subsystems and drivers to
*require* a signature independent of what the distro
said to firmware signing, ie, a different Kconfig entry. This would
enable a silicon vendor to require signed firmware, and it'd work, so
long as it was in linux-firmware, and the distro would not need
firmware signing enabled.
Luis
next prev parent reply other threads:[~2015-07-28 16:56 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-28 13:36 David Howells
2015-07-28 14:23 ` David Woodhouse
2015-07-28 16:55 ` Luis R. Rodriguez [this message]
2015-07-28 15:10 ` James Bottomley
2015-07-28 15:22 ` Andy Lutomirski
2015-07-28 15:31 ` James Bottomley
2015-07-28 16:05 ` Andy Lutomirski
2015-07-28 16:10 ` James Bottomley
2015-07-28 16:15 ` David Woodhouse
2015-07-28 16:35 ` Andy Lutomirski
2015-07-28 16:44 ` David Howells
2015-07-28 17:03 ` Andy Lutomirski
2015-07-28 19:19 ` David Woodhouse
2015-07-28 19:31 ` Andy Lutomirski
2015-07-28 19:43 ` David Woodhouse
2015-07-28 22:03 ` James Bottomley
2015-08-11 20:24 ` David Howells
2015-08-11 21:56 ` Andy Lutomirski
2015-08-11 22:03 ` Luis R. Rodriguez
2015-08-12 18:22 ` David Howells
2015-08-12 18:45 ` David Woodhouse
2015-08-12 19:09 ` Andy Lutomirski
2015-08-12 19:15 ` James Bottomley
2015-08-12 19:25 ` Andy Lutomirski
2015-08-12 19:43 ` James Bottomley
2015-08-12 19:45 ` Andy Lutomirski
2015-08-12 19:59 ` James Bottomley
2015-08-13 7:03 ` Jan Kara
2015-08-13 14:01 ` James Bottomley
2015-08-12 22:46 ` David Howells
2015-08-12 22:51 ` Andy Lutomirski
2015-08-12 19:06 ` Andy Lutomirski
2015-08-12 22:39 ` David Howells
2015-08-12 22:45 ` Andy Lutomirski
2015-08-12 22:45 ` David Howells
2015-08-12 22:47 ` Andy Lutomirski
2015-07-28 16:18 ` David Howells
2015-07-28 16:42 ` James Bottomley
2015-07-28 17:05 ` Andy Lutomirski
2015-07-28 17:09 ` James Bottomley
2015-07-28 17:10 ` Andy Lutomirski
2015-07-29 2:00 ` James Morris
2015-07-28 16:58 ` Josh Boyer
2015-07-28 15:12 ` David Woodhouse
2015-07-28 18:47 ` Peter Jones
2015-07-28 19:14 ` David Howells
2015-07-28 19:52 ` Peter Jones
2015-07-28 16:17 ` David Howells
2015-07-28 16:59 ` James Bottomley
2015-07-28 19:11 ` David Howells
2015-07-28 19:34 ` Luis R. Rodriguez
2015-07-28 21:53 ` James Bottomley
2015-07-28 22:39 ` David Howells
2015-07-28 22:44 ` Andy Lutomirski
2015-07-29 8:39 ` David Woodhouse
2015-07-28 18:36 ` josh
2015-07-28 18:44 ` James Bottomley
2015-07-28 18:54 ` josh
2015-07-28 19:06 ` Luis R. Rodriguez
2015-07-28 21:38 ` Greg KH
2015-07-28 23:59 ` josh
2015-07-29 0:17 ` Greg KH
2015-07-29 9:37 ` David Woodhouse
2015-07-29 15:00 ` James Bottomley
2015-07-29 15:35 ` David Woodhouse
2015-07-29 16:38 ` James Bottomley
2015-07-29 17:32 ` David Woodhouse
2015-07-29 23:39 ` James Bottomley
2015-07-30 8:08 ` David Woodhouse
2015-07-30 13:48 ` James Bottomley
2015-07-30 14:21 ` Heiko Stübner
2015-07-30 14:30 ` James Bottomley
2015-07-30 15:01 ` David Woodhouse
2015-07-30 16:17 ` James Bottomley
2015-07-30 19:17 ` David Woodhouse
2015-07-31 14:41 ` Theodore Ts'o
2015-07-31 16:14 ` Tim Bird
2015-07-31 17:25 ` David Woodhouse
2015-07-30 16:24 ` Tim Bird
2015-07-29 16:35 ` Josh Triplett
2015-07-29 8:29 ` David Woodhouse
2015-07-29 11:57 ` Mark Brown
2015-07-29 12:02 ` David Woodhouse
2015-07-29 12:24 ` Mark Brown
2015-07-28 19:23 ` David Woodhouse
2015-07-28 19:19 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAB=NE6Vd+SbBA4TerS9bpqJuumaP1LY9rhpL6Nc57Wzhj4ijUw@mail.gmail.com' \
--to=mcgrof@do-not-panic.com \
--cc=dwmw2@infradead.org \
--cc=jkkm@jkkm.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox