At Tue, 6 Nov 2012 10:30:26 +0800, Ming Lei wrote: > > On Tue, Nov 6, 2012 at 1:18 AM, Takashi Iwai <tiwai@xxxxxxx> wrote: > > > > To be noted, it doesn't support the firmwares via udev but only the > > direct loading, and the check for built-in firmware is missing, too. > > Generally, both direct loading and udev may request one same firmware > image. And after check failed, current firmware load will fallback on udev > to complete loading, so looks a check-failed firmware still can be loaded > into kernel no matter if there is firmware signature check or not. Yeah, it's just uncovered in the patch. As a easy solution, apply the patch like below to disallow the udev fw loading when signature check is enforced. thanks, Takashi --- diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index 575bc4c..93121c3 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c @@ -912,6 +912,13 @@ static int _request_firmware_load(struct firmware_priv *fw_priv, bool uevent, goto handle_fw; } + /* signature check isn't handled via udev fw loading */ + if (sig_enforce) { + fw_load_abort(fw_priv); + direct_load = 1; + goto handle_fw; + } + /* fall back on userspace loading */ buf->fmt = PAGE_BUF; -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html