From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id D76E3950 for ; Wed, 27 Jul 2016 18:36:09 +0000 (UTC) Received: from mail-vk0-f54.google.com (mail-vk0-f54.google.com [209.85.213.54]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 2ABD5E8 for ; Wed, 27 Jul 2016 18:36:09 +0000 (UTC) Received: by mail-vk0-f54.google.com with SMTP id s189so15590670vkh.1 for ; Wed, 27 Jul 2016 11:36:09 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20160727111706.788fefeb@xeon-e3> References: <20150804152622.GY30479@wotan.suse.de> <1468612258.5335.0.camel@linux.vnet.ibm.com> <1468612671.5335.5.camel@linux.vnet.ibm.com> <20160716005213.GL30372@sirena.org.uk> <1469544138.120686.327.camel@infradead.org> <20160727140406.GP4541@io.lakedaemon.net> <20160727111706.788fefeb@xeon-e3> Date: Wed, 27 Jul 2016 11:36:08 -0700 Message-ID: From: Andy Lutomirski To: Stephen Hemminger Content-Type: multipart/alternative; boundary=001a114df3b070457c0538a24ac0 Cc: Mark Brown , ksummit-discuss@lists.linuxfoundation.org, Jason Cooper Subject: Re: [Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: Last minute nominations: mcgrof and toshi List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --001a114df3b070457c0538a24ac0 Content-Type: text/plain; charset=UTF-8 On Jul 27, 2016 11:16 AM, "Stephen Hemminger" wrote: > > On Wed, 27 Jul 2016 14:04:06 +0000 > Jason Cooper wrote: > > > Hi David, > > > > On Tue, Jul 26, 2016 at 03:42:18PM +0100, David Woodhouse wrote: > > > On Sat, 2016-07-16 at 01:52 +0100, Mark Brown wrote: > > > > On Fri, Jul 15, 2016 at 03:57:51PM -0400, Mimi Zohar wrote: > > > > > > > > > Oops, "Signature management - keys, modules, firmware" was a > > > > > suggestion from last year, but in my opinion still very apropos. > > > > > > > > Yup, definitely - especially with secure boot starting to firm up on > > > > the ARM side there's a bunch more interest in it from more embedded > > > > applications. > > > > > > Are we going to propose this again "formally" (i.e. sufficiently > > > clearly that the committee take note and consider it)? > > > > $subject modified. > > > > > If so, I would also be keen to participate. > > > > Myself as well. I've often wondered about devicetree signing. Since it > > needs to be modified by the bootloader in a lot of cases (RAM size, > > cmdline, etc), but a malicious modification would be to remove the TPM > > node. :-) > > I am interested in this as well because of issues in creating secure guests. > I'm interested in this, too. --001a114df3b070457c0538a24ac0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Jul 27, 2016 11:16 AM, "Stephen Hemminger" <= stephen@networkplumber.org> wrote:
>
> On Wed, 27 Jul 2016 14:04:06 +0000
> Jason Cooper <jason@lakedae= mon.net> wrote:
>
> > Hi David,
> >
> > On Tue, Jul 26, 2016 at 03:42:18PM +0100, David Woodhouse wrote:<= br> > > > On Sat, 2016-07-16 at 01:52 +0100, Mark Brown wrote:
> > > > On Fri, Jul 15, 2016 at 03:57:51PM -0400, Mimi Zohar wr= ote:
> > > >
> > > > > Oops, "Signature management - keys, modules, = firmware" was a
> > > > > suggestion from last year, but in my opinion still= very apropos.
> > > >
> > > > Yup, definitely - especially with secure boot starting = to firm up on
> > > > the ARM side there's a bunch more interest in it fr= om more embedded
> > > > applications.
> > >
> > > Are we going to propose this again "formally" (i.e= . sufficiently
> > > clearly that the committee take note and consider it)?
> >
> > $subject modified.
> >
> > > If so, I would also be keen to participate.
> >
> > Myself as well.=C2=A0 I've often wondered about devicetree si= gning.=C2=A0 Since it
> > needs to be modified by the bootloader in a lot of cases (RAM siz= e,
> > cmdline, etc), but a malicious modification would be to remove th= e TPM
> > node. :-)
>
> I am interested in this as well because of issues in creating secure g= uests.
>

I'm interested in this, too.

--001a114df3b070457c0538a24ac0--