Re: [RFC PATCH v2] fw_lockdown: new micro LSM module to prevent loading unsigned firmware
From: Mimi Zohar
Date: Thu Nov 23 2017 - 06:55:56 EST
On Wed, 2017-11-22 at 19:58 +0100, Luis R. Rodriguez wrote:
> I've frankly have grown tired of pushing firmware signing just for the sake of
> the fact that I needed it for cfg80211, but now that its out of the way and
> we open coded it, its no longer a requirement on my part.
As the keys CFG80211_REQUIRE_SIGNED_REGDB are built into the kernel
image, they would be included in the kernel image signature.
As I previously askedÂhttps://lkml.org/lkml/2017/11/15/679, how are
the keys located in the CFG80211_EXTRA_REGDB_KEYDIR keyring trusted?
ÂThe keyring does not validate the certificate signatures, before
loading the keys on the firmware keyring. ÂIt explicitly bypasses the
certificate signature validation.
Mimi