| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Nov 2017 06:55:36 -0500
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: "Luis R. Rodriguez" <mcgrof@...nel.org>
Cc: Matthew Garrett <mjg59@...gle.com>,
David Howells <dhowells@...hat.com>,
One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>,
Marcus Meissner <meissner@...e.de>, Joey Lee <jlee@...e.com>,
Jeff Mahoney <jeffm@...e.com>, Jiri Kosina <jikos@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
"AKASHI, Takahiro" <takahiro.akashi@...aro.org>,
Johannes Berg <johannes@...solutions.net>,
James Bottomley <James.Bottomley@...senpartnership.com>,
Kees Cook <keescook@...omium.org>,
Stephen Boyd <stephen.boyd@...aro.org>,
Vikram Mulukutla <markivx@...eaurora.org>,
linux-kernel@...r.kernel.org,
linux-security-module <linux-security-module@...r.kernel.org>,
James Morris <jmorris@...ei.org>
Subject: Re: [RFC PATCH v2] fw_lockdown: new micro LSM module to prevent
loading unsigned firmware
On Wed, 2017-11-22 at 19:58 +0100, Luis R. Rodriguez wrote:
> I've frankly have grown tired of pushing firmware signing just for the sake of
> the fact that I needed it for cfg80211, but now that its out of the way and
> we open coded it, its no longer a requirement on my part.
As the keys CFG80211_REQUIRE_SIGNED_REGDB are built into the kernel
image, they would be included in the kernel image signature.
As I previously asked https://lkml.org/lkml/2017/11/15/679, how are
the keys located in the CFG80211_EXTRA_REGDB_KEYDIR keyring trusted?
The keyring does not validate the certificate signatures, before
loading the keys on the firmware keyring. It explicitly bypasses the
certificate signature validation.
Mimi
Powered by blists - more mailing lists