Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown

From: Linus Torvalds
Date: Tue Nov 14 2017 - 12:34:44 EST

Next message: Johan Hovold: "Re: [PATCH] PCI: keystone: fix interrupt-controller-node lookup"
Previous message: Yang Shi: "Re: [PATCH v2] fs: fsnotify: account fsnotify metadata to kmemcg"
In reply to: Mimi Zohar: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Next in thread: Matthew Garrett: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 14, 2017 at 4:21 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> On Mon, 2017-11-13 at 14:09 -0800, Linus Torvalds wrote:
>>
>> Seriously, if you have firmware in /lib/firmware, and you don't trust
>> it, what the hell are you doing?
>
> I might "trust" the files in /lib/firmware, but I also want to make
> sure that they haven't changed. File signatures provide file
> provenance and integrity guarantees.

Sure. But that has absolutely nothing to do with "firmware".

It is equally true of /usr/bin/* and pretty much everything in the system.

It's this insane "firmware is special" that I disagree with. It's not
special at all.

Linus

Next message: Johan Hovold: "Re: [PATCH] PCI: keystone: fix interrupt-controller-node lookup"
Previous message: Yang Shi: "Re: [PATCH v2] fs: fsnotify: account fsnotify metadata to kmemcg"
In reply to: Mimi Zohar: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Next in thread: Matthew Garrett: "Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]