On Aug 2, 2016 7:00 AM, "Jason Cooper" <jason@lakedaemon.net> wrote:

>
> The problem here is that we (users) need to be able to verify that
> iwlwifi-whatever.ucode claimed to be created by Intel, was indeed the
> *same* one Intel shipped out the door.  That's it.  It's up to the user
> to decide to "trust" Intel's microcode or not.  All the kernel should be
> doing is confirming cryptographically that it came from Intel.

Except that this particular use case doesn't require any kernel support at all.  If the goal is that root doesn't want to load a bad firmware, then root can check whatever signature it wants in userspace.

The point of in-kernel verification is to enforce policies that are intended to work even if root is compromised.  This includes CRDA-like policy and MS's Secure Boot policy.  If, while doing this, we get to check vendor keys too, that's just an added benefit in my book.