Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown
From: Alan Cox
Date: Thu Dec 07 2017 - 10:33:04 EST
> I am curious though, is the above notion of having hardware require signed
> firmware an implication brought down by UEFI? If so do you have any pointers
> to where this is stipulated? Or is it just a best practice we assume some
> manufacturers are implementing?
It's a mix of best practice and meeting the so called 'secure boot'
requirements. In the non Linux space exactly the same problems exist in
terms of trusting devices and firmware, building a root of trust and even
more so when producing 'hardened' platforms.
Some stuff isn't - USB devices for example don't get to pee on random
memory so often isn't signed.
Alan