Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown

Luis R. Rodriguez mcgrof at kernel.org
Mon Nov 13 19:08:48 UTC 2017


On Mon, Nov 13, 2017 at 07:50:35PM +0100, Luis R. Rodriguez wrote:
> On Fri, Nov 10, 2017 at 08:45:06AM -0500, Mimi Zohar wrote:
> It does not mean we don't have to support hashes from the start, we can,
> however that could require a driver change where its hash is specified or
> preferred, for instance.

Actually the pseudo code I just demo'd on your RFC proposal shows how we
could support the hashes for firmware an optional first policy and if that
fails check the fw signature if present. So no driver changes would be
needed other than key'ing a respective hash for the firmware, which can
just be a macro driver addition, not an API call change.

  Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list