Re: [PATCH 00/27] security, efi: Add kernel lockdown

From: Mimi Zohar
Date: Thu Nov 02 2017 - 18:01:40 EST

Next message: David Howells: "Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Previous message: David Howells: "Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down"
Next in thread: David Howells: "Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi David,

>From the man page:

> Only validly signed modules may be loaded.
> .P
> Only validly signed binaries may be kexec'd.
> .P
> Only validly signed device firmware may be loaded.

fw_get_filesystem_firmware() calls kernel_read_file_from_path() to
read the firmware, which calls into the security hooks. Is there
another place that validates the firmware signatures. ÂI'm not seeing
which patch requires firmware to be signed?

Mimi

Next message: David Howells: "Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Previous message: David Howells: "Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down"
Next in thread: David Howells: "Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]