Re: [RFC PATCH v2] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

From: Mimi Zohar
Date: Thu Nov 23 2017 - 06:55:56 EST

Next message: Borislav Petkov: "Re: [PATCH v2 09/18] x86/asm: Move SYSENTER_stack to the beginning of struct tss_struct"
Previous message: Michal Hocko: "[PATCH] fs: handle shrinker registration failure in sget_userns"
In reply to: Luis R. Rodriguez: "Re: [Fwd: [RFC PATCH v2] fw_lockdown: new micro LSM module to prevent loading unsigned firmware]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2017-11-22 at 19:58 +0100, Luis R. Rodriguez wrote:

> I've frankly have grown tired of pushing firmware signing just for the sake of
> the fact that I needed it for cfg80211, but now that its out of the way and
> we open coded it, its no longer a requirement on my part.

As the keys CFG80211_REQUIRE_SIGNED_REGDB are built into the kernel
image, they would be included in the kernel image signature.

As I previously askedÂhttps://lkml.org/lkml/2017/11/15/679, how are
the keys located in the CFG80211_EXTRA_REGDB_KEYDIR keyring trusted?
ÂThe keyring does not validate the certificate signatures, before
loading the keys on the firmware keyring. ÂIt explicitly bypasses the
certificate signature validation.

Mimi

Next message: Borislav Petkov: "Re: [PATCH v2 09/18] x86/asm: Move SYSENTER_stack to the beginning of struct tss_struct"
Previous message: Michal Hocko: "[PATCH] fs: handle shrinker registration failure in sget_userns"
In reply to: Luis R. Rodriguez: "Re: [Fwd: [RFC PATCH v2] fw_lockdown: new micro LSM module to prevent loading unsigned firmware]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]