[RFC PATCH v2] fw_lockdown: new micro LSM module to prevent loading unsigned firmware
Mimi Zohar
zohar at linux.vnet.ibm.com
Thu Nov 23 11:55:36 UTC 2017
On Wed, 2017-11-22 at 19:58 +0100, Luis R. Rodriguez wrote:
> I've frankly have grown tired of pushing firmware signing just for the sake of
> the fact that I needed it for cfg80211, but now that its out of the way and
> we open coded it, its no longer a requirement on my part.
As the keys CFG80211_REQUIRE_SIGNED_REGDB are built into the kernel
image, they would be included in the kernel image signature.
As I previously asked https://lkml.org/lkml/2017/11/15/679, how are
the keys located in the CFG80211_EXTRA_REGDB_KEYDIR keyring trusted?
The keyring does not validate the certificate signatures, before
loading the keys on the firmware keyring. It explicitly bypasses the
certificate signature validation.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list