lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Nov 2017 06:55:36 -0500 From: Mimi Zohar <zohar@...ux.vnet.ibm.com> To: "Luis R. Rodriguez" <mcgrof@...nel.org> Cc: Matthew Garrett <mjg59@...gle.com>, David Howells <dhowells@...hat.com>, One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>, Marcus Meissner <meissner@...e.de>, Joey Lee <jlee@...e.com>, Jeff Mahoney <jeffm@...e.com>, Jiri Kosina <jikos@...nel.org>, Linus Torvalds <torvalds@...ux-foundation.org>, "AKASHI, Takahiro" <takahiro.akashi@...aro.org>, Johannes Berg <johannes@...solutions.net>, James Bottomley <James.Bottomley@...senpartnership.com>, Kees Cook <keescook@...omium.org>, Stephen Boyd <stephen.boyd@...aro.org>, Vikram Mulukutla <markivx@...eaurora.org>, linux-kernel@...r.kernel.org, linux-security-module <linux-security-module@...r.kernel.org>, James Morris <jmorris@...ei.org> Subject: Re: [RFC PATCH v2] fw_lockdown: new micro LSM module to prevent loading unsigned firmware On Wed, 2017-11-22 at 19:58 +0100, Luis R. Rodriguez wrote: > I've frankly have grown tired of pushing firmware signing just for the sake of > the fact that I needed it for cfg80211, but now that its out of the way and > we open coded it, its no longer a requirement on my part. As the keys CFG80211_REQUIRE_SIGNED_REGDB are built into the kernel image, they would be included in the kernel image signature. As I previously asked https://lkml.org/lkml/2017/11/15/679, how are the keys located in the CFG80211_EXTRA_REGDB_KEYDIR keyring trusted? The keyring does not validate the certificate signatures, before loading the keys on the firmware keyring. It explicitly bypasses the certificate signature validation. Mimi
Powered by blists - more mailing lists