| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 31 Oct 2012 19:53:52 +0100 From: Takashi Iwai <tiwai@...e.de> To: Matthew Garrett <mjg59@...f.ucam.org> Cc: Jiri Kosina <jkosina@...e.cz>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org Subject: Re: [RFC] Second attempt at kernel secure boot support At Wed, 31 Oct 2012 17:37:28 +0000, Matthew Garrett wrote: > > On Wed, Oct 31, 2012 at 06:28:16PM +0100, Takashi Iwai wrote: > > > request_firmware() is used for microcode loading, too, so it's fairly > > a core part to cover, I'm afraid. > > > > I played a bit about this yesterday. The patch below is a proof of > > concept to (ab)use the module signing mechanism for firmware loading > > too. Sign firmware files via scripts/sign-file, and put to > > /lib/firmware/signed directory. > > That does still leave me a little uneasy as far as the microcode > licenses go. I don't know that we can distribute signed copies of some > of them, and we obviously can't sign at the user end. Yeah, that's a concern. Although this is a sort of "container" and keeping the original data as is, it might be regarded as a modification. Another approach would be to a signature in a separate file, but I'm not sure whether it makes sense. Takashi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists