Re: [RFC v3 2/2] firmware: add firmware signature checking support

From: Luis R. Rodriguez
Date: Tue May 19 2015 - 12:31:25 EST


On Tue, May 19, 2015 at 11:02:44AM +0100, David Howells wrote:
> Luis R. Rodriguez <mcgrof@xxxxxxxxxxxxxxxx> wrote:
>
> > +The kernel firmware signing facility enables to cryptographically sign
> > +firmware files on a system using the same keys used for module signing.
> > +Firmware files's signatures consist of PKCS#7 messages of the respective
> > +firmware file. A firmware file named foo.bin, would have its respective
> > +signature on the filesystem as foo.bin.p7s. When firmware signature
> > +checking is enabled (FIRMWARE_SIG) and when one of the above APIs is used
> > +against foo.bin, the file foo.bin.p7s will also be looked for. If
> > +FIRMWARE_SIG_FORCE is enabled the foo.bin file will only be allowed to
> > +be returned to callers of the above APIs if and only if the foo.bin.p7s
> > +file is confirmed to be a valid signature of the foo.bin file. If
> > +FIRMWARE_SIG_FORCE is not enabled and only FIRMWARE_SIG is enabled the
> > +kernel will be permissive and enabled unsigned firmware files, or firmware
> > +files with incorrect signatures. If FIRMWARE_SIG is not enabled the
> > +signature file is ignored completely.
>
> I'd rework this paragraph somewhat. How about:
>

<-- snip -->

Looks sexy, taken word for word, thanks!

Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/