Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown
From: Alan Cox
Date: Fri Dec 08 2017 - 12:14:18 EST
> One is to get more and more folks reverse engineer firmware. This won't help
> if you can't deploy unsigned firmware though. But you have to also look at it
Oh I think it will. From the experience with things like games consoles
most firmware is such a complete pile of s**t that you'll be able to
exploit it to load your own firmware through the bugs, and at the very
least after the 200th CVE against their firmware the vendor's direct
customers may be a bit fed up and demand proper process and visibility 8)
It's always going to be in tension though - because there is firmware you
really don't want people replacing maliciously, such as battery control,
or thermal protection.
Alan