| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241209153600.27bd07e1@kernel.org> Date: Mon, 9 Dec 2024 15:36:00 -0800 From: Jakub Kicinski <kuba@...nel.org> To: Martyna Szapar-Mudlaw <martyna.szapar-mudlaw@...ux.intel.com> Cc: netdev@...r.kernel.org, andrew+netdev@...n.ch, horms@...nel.org, jiri@...nulli.us, stephen@...workplumber.org, anthony.l.nguyen@...el.com, jacob.e.keller@...el.com, przemyslaw.kitszel@...el.com, intel-wired-lan@...ts.osuosl.org Subject: Re: [RFC 0/1] Proposal for new devlink command to enforce firmware security On Mon, 9 Dec 2024 14:14:50 +0100 Martyna Szapar-Mudlaw wrote: > Proposed design > > New command, `devlink dev lock-firmware` (or `devlink dev guard-firmware`), > will be added to devlink API. Implementation in devlink will be simple > and generic, with no predefined operations, offering flexibility for drivers > to define the firmware locking mechanism appropriate to the hardware's > capabilities and security requirements. Running this command will allow > ice driver to ensure firmware with lower security value downgrades are > prevented. > > Add also changes to Intel ice driver to display security values > via devlink dev info command running and set minimum. Also implement > lock-firmware devlink op callback in ice driver to update firmware > minimum security revision value. devlink doesn't have a suitable security model. I don't think we should be adding hacks since we're not security experts and standards like SPDM exist. I understand that customers ask for this but "security" is not a checkbox, the whole certificate and version management is necessary.
Powered by blists - more mailing lists