On Tue, Sep 10, 2013 at 11:26 AM, Matthew Garrett <matthew.garrett@xxxxxxxxxx> wrote: > On Tue, 2013-09-10 at 14:23 -0300, Henrique de Moraes Holschuh wrote: >> On Tue, 10 Sep 2013, Matthew Garrett wrote: >> > That's why modern systems require signed firmware updates. >> >> Linux doesn't. Is someone working on adding signature support to the >> runtime firmware loader? I feel like there was maybe confusion here between "boot loader" firmware (PC-BIOS, UEFI, etc), and device (maybe "component" is a better term to distinguish this?) firmware (network cards, hard drives, etc). Boot loader firmware has been moving rapidly toward verified updates. This is true in many many shipping systems. It is much less true for component firmware. > It'd be simple to do so, but so far the model appears to be that devices > that expect signed firmware enforce that themselves. Yeah, the unfortunately reality is that for full sanity, it is components themselves that need to be doing this signature validation. That said, adding signature (or similar "origin" verification) to the kernel is a good first step to move the trust from uid-0 up to ring-0. I've had this on my TODO list for a while now. It remains a potential hole, but since a solution doesn't exist today, it's outside of what Matthew's patch series does. I would, however, expect that in the future when component firmware loading includes origin verification, it would become required when running with the "lock down the world" setting. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html