[PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware
From: mcgrof@kernel.org (Luis R. Rodriguez)
Date: 2018-05-15 03:26:56
Also in:
linux-integrity, linux-wireless, lkml
On Mon, May 14, 2018 at 10:02:31PM -0400, Mimi Zohar wrote:
On Mon, 2018-05-14 at 19:28 +0000, Luis R. Rodriguez wrote:quoted
quoted
- CONFIG_IMA_APPRAISE is not fine enough grained. The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. ?Similar Kconfig options will require kernel modules, kexec'ed image, and the IMA policy to be signed.Sure, it is still unclear to me if CONFIG_IMA_APPRAISE_FIRMWARE will be doing firmware verification in userspace or in the kernel.The kernel is verifying signatures.quoted
quoted
There are a number of reasons that the kernel should be verifying firmware signatures (eg. requiring a specific version of the firmware, that was locally signed).Oh I agree, Linux enterprise distributions also have a strong reason to have this, so that for instance we only trust and run vendor-approved signed firmware. Otherwise the driver should reject the firmware. Every now and then enterprise distros may run into cases were certain customers may run oddball firmwares, and its unclear if we expect proper functionality with that firmware. Having some form of firmware signing would help with this pipeline, but this is currently dealt with at the packaging, and noting other than logs ensures the driver is using an intended firmware. But these needs *IMHO* have not been enough to push to generalize a kernel firmware signing facility.In order for IMA-appraisal to verify firmware signatures, the signatures need to be distributed with the firmware. ?Perhaps this will be enough of an incentive for distros to start including firmware signatures in the packages.
Best to poke the maintainers about that... We have been sending mixed messages about firmware signing over years now. Josh, heads up the new one is we can do firmware signing through IMA future CONFIG_IMA_APPRAISE_FIRMWARE. I'll bounce you a few emails related to this.
quoted
If CONFIG_IMA_APPRAISE_FIRMWARE is going to provide this functionality somehow I'm happy to hear it.The functionality has been there since commit 5a9196d ("ima: add support for measuring and appraising firmware"). ?The security_kernel_fw_from_file() hook was later replaced with the generic security_kernel_read_file() hook.
Groovy, its unclear from the code on that commit how this is done, so I suppose I need to study this a bit more. Josh, do you grok it? Luis -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html