On 09/10/2013 12:17 PM, David Lang wrote: >> >> In theory these blobs are traceable to a manufacturer. It's not really >> an indication that it's "safe" more than it's an indication that it >> hasn't been changed. But I haven't chased this very hard yet because >> of below... > > well, not if you are trying to defend against root breaking in to the > machine. > And we have at least some drivers where we even have the firmware in the Linux kernel tree, and thus aren't opaque blobs at all. I suspect we'll need, at some point, a way for vendors that aren't already doing signatures on their firmware in a device-specific way to do so in a kernel-supported way. The easiest (in terms of getting vendors to play along, not necessarily technically) might be a PGP signature (either inline or standalone) and have the public key as part of the driver? -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html