Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown

From: Alan Cox
Date: Thu Dec 07 2017 - 10:33:04 EST

Next message: Andrew Lunn: "Re: [PATCH net-next v2 5/8] net: phy: meson-gxl: detect LPA corruption"
Previous message: Ville Syrjälä: "Re: [Intel-gfx] [PATCH] drm/i915: Increase max texture to 16k for gen9+"
In reply to: Luis R. Rodriguez: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Next in thread: Pavel Machek: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I am curious though, is the above notion of having hardware require signed
> firmware an implication brought down by UEFI? If so do you have any pointers
> to where this is stipulated? Or is it just a best practice we assume some
> manufacturers are implementing?

It's a mix of best practice and meeting the so called 'secure boot'
requirements. In the non Linux space exactly the same problems exist in
terms of trusting devices and firmware, building a root of trust and even
more so when producing 'hardened' platforms.

Some stuff isn't - USB devices for example don't get to pee on random
memory so often isn't signed.

Alan

Next message: Andrew Lunn: "Re: [PATCH net-next v2 5/8] net: phy: meson-gxl: detect LPA corruption"
Previous message: Ville Syrjälä: "Re: [Intel-gfx] [PATCH] drm/i915: Increase max texture to 16k for gen9+"
In reply to: Luis R. Rodriguez: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Next in thread: Pavel Machek: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]