On Thu, 2015-05-21 at 10:02 -0700, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > > Again, why have a detached signature and not just part of the firmware > blob? The device needs to be caring about this, not the kernel. > > Do other operating systems have this type of "feature"? Yes. Windows effectively does by virtue of the fact that it ships he firmware *with* the driver and even if it's in a separate file (which it often isn't), the signed manifest covers it all together. Look at it this way: If you don't have an IOMMU, then signing modules is *utterly* pointless unless you also sign firmware. A rogue device can do *anything*. We really do want firmware signing for the *OS*, not just for regulatory issues and other vendor-interest stuff which was Luis's original focus. -- David Woodhouse Open Source Technology Centre David.Woodhouse@xxxxxxxxx Intel Corporation
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
