On Mon, Nov 13, 2017 at 07:50:35PM +0100, Luis R. Rodriguez wrote: > On Fri, Nov 10, 2017 at 08:45:06AM -0500, Mimi Zohar wrote: > It does not mean we don't have to support hashes from the start, we can, > however that could require a driver change where its hash is specified or > preferred, for instance. Actually the pseudo code I just demo'd on your RFC proposal shows how we could support the hashes for firmware an optional first policy and if that fails check the fw signature if present. So no driver changes would be needed other than key'ing a respective hash for the firmware, which can just be a macro driver addition, not an API call change. Luis -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
