Re: [RFC v2 6/6] firmware: add firmware signature checking support
From: Julian Calaby
Date: Wed May 13 2015 - 20:32:19 EST
On Thu, May 14, 2015 at 4:23 AM, Luis R. Rodriguez
> From: "Luis R. Rodriguez" <mcgrof@xxxxxxxx>
> Systems that have module signing currently enabled may
> wish to extend vetting of firmware passed to the kernel
> as well. We can re-use most of the code for module signing
> for firmware signature verification and signing. This will
> also later enable re-use of this same code for subsystems
> that wish to provide their own cryptographic verification
> mechanisms on userspace data needed.
> As with module signing, we do a very simple search for a
> particular string appended to the firmware. There's both a
> config option and a boot parameter which control whether we
> accept or fail with unsigned firmware and firmware that are
> signed with an unknown key.
> If firmware signing is enabled, the kernel will be tainted
> if a firmware is loaded that is unsigned or has a signature
> for which we don't have the key.
> Cc: Rusty Russell <rusty@xxxxxxxxxxxxxxx>
> Cc: David Howells <dhowells@xxxxxxxxxx>
> Cc: Ming Lei <ming.lei@xxxxxxxxxxxxx>
> Cc: Seth Forshee <seth.forshee@xxxxxxxxxxxxx>
> Cc: Kyle McMartin <kyle@xxxxxxxxxx>
> Signed-off-by: Luis R. Rodriguez <mcgrof@xxxxxxxx>
> Documentation/firmware_class/signing.txt | 88 +++++++++
> drivers/base/Kconfig | 18 ++
> drivers/base/firmware_class.c | 214 ++++++++++++++++++++-
> .../sysdata-internal.h => include/linux/sysdata.h | 0
> kernel/module.c | 2 +-
> kernel/sysdata_signing.c | 3 +-
> kernel/system_keyring.c | 2 +-
> 7 files changed, 317 insertions(+), 10 deletions(-)
> create mode 100644 Documentation/firmware_class/signing.txt
> rename kernel/sysdata-internal.h => include/linux/sysdata.h (100%)
> diff --git a/Documentation/firmware_class/signing.txt b/Documentation/firmware_class/signing.txt
> new file mode 100644
> index 0000000..6e1ce3c
> --- /dev/null
> +++ b/Documentation/firmware_class/signing.txt
> @@ -0,0 +1,88 @@
> + ================================
> + KERNEL FIRMWARE SIGNING FACILITY
> + ================================
> + - Overview.
> + - Configuring firmware signing.
> + - Using signing keys.
> + - Signing firmware files.
> +Device drivers which require a firmware to be uploaded onto a device as its own
> +device's microcode use any of the following APIs:
> + * request_firmware()
> + * request_firmware_direct()
> + * request_firmware_nowait()
> +The kernel firmware signing facility enables to cryptographically sign
> +firmware files on a system using the same keys used for module signing.
> +Firmware files's signatures consist of PKCS#7 messages of the respective
> +firmware file. A firmware file named foo.bin, would have its respective
> +signature on the filesystem as foo.bin.pkcs7. When firmware signature
> +checking is enabled (FIRMWARE_SIG) when one of the above APIs is used
> +against foo.bin, the file foo.bin.pkcs7 will also be looked for. If
> +FIRMWARE_SIG_FORCE is enabled the foo.bin file will only be allowed to
> +be returned to callers of the above APIs if and only if the foo.bin.pkcs7
> +file is confirmed to be a valid signature of the foo.bin file. If
> +FIRMWARE_SIG_FORCE is not enabled and only FIRMWARE_SIG is enabled the
> +kernel will be permissive and enabled unsiged firmware files, or firmware
> +files with incorrect signatures. If FIRMWARE_SIG is not enabled the
> +signature file is ignored completely.
> +Firmware signing increases security by making it harder to load a malicious
> +firmware into the kernel. The firmware signature checking is done by the
> +kernel so that it is not necessary to have trusted userspace bits.
> +CONFIGURING FIRMWARE SIGNING
> +The firmware signing facility is enabled by going to the section:
> +-> Device Drivers
> + -> Generic Driver Options
> + -> Userspace firmware loading support (FW_LOADER [=y])
> + -> Firmware signature verification (FIRMWARE_SIG [=y])
> +If you want to not allow unsigned firmware to be loaded you should
> +"Require all firmware to be validly signed", under the same menu.
You reference the relevant Kconfig symbols above, do you want to add
it here too?
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/