From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752650AbdKMLuK (ORCPT ); Mon, 13 Nov 2017 06:50:10 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:41190 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752397AbdKMLuJ (ORCPT ); Mon, 13 Nov 2017 06:50:09 -0500 Subject: Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown From: Mimi Zohar To: Alan Cox , "AKASHI, Takahiro" Cc: "Luis R. Rodriguez" , Greg Kroah-Hartman , Linus Torvalds , Jan Blunck , Julia Lawall , David Howells , Marcus Meissner , Gary Lin , linux-security-module@vger.kernel.org, linux-efi , linux-kernel@vger.kernel.org, Matthew Garrett Date: Mon, 13 Nov 2017 06:49:55 -0500 In-Reply-To: <20171111023240.2398ca55@alans-desktop> References: <1509660086.3416.15.camel@linux.vnet.ibm.com> <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <14219.1509660259@warthog.procyon.org.uk> <1509660641.3416.24.camel@linux.vnet.ibm.com> <20171107230700.GJ22894@wotan.suse.de> <20171108061551.GD7859@linaro.org> <20171108194626.GQ22894@wotan.suse.de> <20171109014841.GF7859@linaro.org> <1510193857.4484.95.camel@linux.vnet.ibm.com> <20171109044619.GG7859@linaro.org> <20171111023240.2398ca55@alans-desktop> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 17111311-0040-0000-0000-000003EDA75E X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17111311-0041-0000-0000-000025F0541E Message-Id: <1510573795.3404.113.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-13_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1711130166 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 2017-11-11 at 02:32 +0000, Alan Cox wrote: > > My assumption here is: > > 1) there are some less important and so security-insensitive firmwares, > > by which I mean that such firmwares won't be expected to be signed in > > terms of vulnerability or integrity. > > (I can't give you examples though.) > > 2) firmware's signature will be presented separately from the firmware > > blob itself. Say, "firmware.bin.p7s" for "firmware.bin" > > For x86 at least any firmware on any system modern enough to support > 'secure' boot should already be signed. The only major exception is > likely to be for things like random USB widgets. Does this mean that the firmware signature is contained within the firmware?  On Linux, is anything verifying this signature?  Or is this the hw verifying the firmware's signature? > Even things like input controller firmware loaded over i2c or spi > is usually signed because you could do fun things with input faking > otherwise. > > The other usual exception is FPGAs, but since the point of an FPGA is > usually the fact it *can* be reprogrammed it's not clear that signing > FPGA firmware makes sense unless it is designed to be fixed function. > > You can't subvert the bus protocols on the x86 FPGA I am aware of as > those bits are signed (or hard IP), but without IOMMU I am not sure FPGA > and 'secure' boot is completely compatible. Ok, but why differentiate between "fixed" and research/development FPGA functions?  In both cases, the FPGA firmware would need to be signed locally.  Wouldn't this be similar to kernel developers building their own kernels and signing the kernel modules? Mimi