On Tue, Nov 14, 2017 at 3:50 PM, Luis R. Rodriguez [off-list ref] wrote:

On Tue, Nov 14, 2017 at 12:18:54PM -0800, Linus Torvalds wrote:

quoted

This is all theoretical security masturbation. The _real_ attacks have
been elsewhere.

In my research on this front I'll have to agree with this, in terms of
justification and there are only *two* arguments which I've so far have found
to justify firmware signing:

a) If you want signed modules, you therefore should want signed firmware.
   This however seems to be solved by using trusted boot thing, given it
   seems trusted boot requires having firmware be signed as well. (Docs
   would be useful to get about where in the specs this is mandated,
   anyone?). Are there platforms that don't have trusted boot or for which
   they don't enforce hardware checking for signed firmware for which
   we still want to support firmware signing for? Are there platforms
   that require and use module signing but don't and won't have a trusted
   boot of some sort? Do we care?

TPM-backed Trusted Boot means you don't /need/ to sign anything, since
the measurements of what you loaded will end up in the TPM. But
signatures make it a lot easier, since you can just assert that only
signed material will be loaded and so you only need to measure the
kernel and the trusted keys.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html