From: Takashi Iwai <tiwai-l3A5Bk7waGM@public.gmane.org>
To: Matthew Garrett <mjg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: Jiri Kosina <jkosina-AlSwsSmVLrQ@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [RFC] Second attempt at kernel secure boot support
Date: Wed, 31 Oct 2012 18:28:16 +0100 [thread overview]
Message-ID: <s5hobjia6vj.wl%tiwai@suse.de> (raw)
In-Reply-To: <20121029174131.GC7580-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
At Mon, 29 Oct 2012 17:41:31 +0000,
Matthew Garrett wrote:
>
> On Mon, Oct 29, 2012 at 08:49:41AM +0100, Jiri Kosina wrote:
> > On Thu, 20 Sep 2012, Matthew Garrett wrote:
> >
> > > This is pretty much identical to the first patchset, but with the capability
> > > renamed (CAP_COMPROMISE_KERNEL) and the kexec patch dropped. If anyone wants
> > > to deploy these then they should disable kexec until support for signed
> > > kexec payloads has been merged.
> >
> > Apparently your patchset currently doesn't handle device firmware loading,
> > nor do you seem to mention in in the comments.
>
> Correct.
>
> > I believe signed firmware loading should be put on plate as well, right?
>
> I think that's definitely something that should be covered. I hadn't
> worried about it immediately as any attack would be limited to machines
> with a specific piece of hardware, and the attacker would need to expend
> a significant amount of reverse engineering work on the firmware - and
> we'd probably benefit from them doing that in the long run...
request_firmware() is used for microcode loading, too, so it's fairly
a core part to cover, I'm afraid.
I played a bit about this yesterday. The patch below is a proof of
concept to (ab)use the module signing mechanism for firmware loading
too. Sign firmware files via scripts/sign-file, and put to
/lib/firmware/signed directory.
It's just a rough cut, and the module options are other pieces there
should be polished better, of course. Also another signature string
should be better for firmware files :)
Takashi
---
diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
index b34b5cd..2bc8415 100644
--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
@@ -145,6 +145,12 @@ config EXTRA_FIRMWARE_DIR
this option you can point it elsewhere, such as /lib/firmware/ or
some other directory containing the firmware files.
+config FIRMWARE_SIG
+ bool "Firmware signature check"
+ depends on FW_LOADER && MODULE_SIG
+ help
+ Check the embedded signature of firmware files like signed modules.
+
config DEBUG_DRIVER
bool "Driver Core verbose debug messages"
depends on DEBUG_KERNEL
diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 8945f4e..81fc8a4 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -268,6 +268,12 @@ static void fw_free_buf(struct firmware_buf *buf)
/* direct firmware loading support */
static const char *fw_path[] = {
+#ifdef CONFIG_FIRMWARE_SIG
+ "/lib/firmware/updates/" UTS_RELEASE "/signed",
+ "/lib/firmware/updates/signed",
+ "/lib/firmware/" UTS_RELEASE "/signed",
+ "/lib/firmware/signed",
+#endif
"/lib/firmware/updates/" UTS_RELEASE,
"/lib/firmware/updates",
"/lib/firmware/" UTS_RELEASE,
@@ -844,6 +850,41 @@ exit:
return fw_priv;
}
+#ifdef CONFIG_FIRMWARE_SIG
+/* XXX */
+extern int mod_verify_sig(const void *mod, unsigned long *_modlen);
+
+static bool sig_enforce;
+module_param(sig_enforce, bool, 0444);
+
+static int firmware_sig_check(struct firmware_buf *buf)
+{
+ unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ long len;
+ int err;
+
+ len = buf->size - markerlen;
+ if (len <= 0 ||
+ memcmp(buf->data + len, MODULE_SIG_STRING, markerlen)) {
+ pr_debug("%s: no signature found\n", buf->fw_id);
+ return sig_enforce ? -ENOKEY : 0;
+ }
+ err = mod_verify_sig(buf->data, &len);
+ if (err < 0) {
+ pr_debug("%s: signature error: %d\n", buf->fw_id, err);
+ return err;
+ }
+ buf->size = len;
+ pr_debug("%s: signature OK!\n", buf->fw_id);
+ return 0;
+}
+#else
+static inline int firmware_sig_check(struct firmware_buf *buf)
+{
+ return 0;
+}
+#endif
+
static int _request_firmware_load(struct firmware_priv *fw_priv, bool uevent,
long timeout)
{
@@ -909,6 +950,9 @@ handle_fw:
if (!buf->size || test_bit(FW_STATUS_ABORT, &buf->status))
retval = -ENOENT;
+ if (!retval)
+ retval = firmware_sig_check(buf);
+
/*
* add firmware name into devres list so that we can auto cache
* and uncache firmware for device.
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index ea1b1df..c39f49b 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -11,6 +11,7 @@
#include <linux/kernel.h>
#include <linux/err.h>
+#include <linux/export.h>
#include <crypto/public_key.h>
#include <crypto/hash.h>
#include <keys/asymmetric-type.h>
@@ -247,3 +248,4 @@ error_put_key:
pr_devel("<==%s() = %d\n", __func__, ret);
return ret;
}
+EXPORT_SYMBOL_GPL(mod_verify_sig);
WARNING: multiple messages have this Message-ID (diff)
From: Takashi Iwai <tiwai@suse.de>
To: Matthew Garrett <mjg@redhat.com>
Cc: Jiri Kosina <jkosina@suse.cz>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org
Subject: Re: [RFC] Second attempt at kernel secure boot support
Date: Wed, 31 Oct 2012 18:28:16 +0100 [thread overview]
Message-ID: <s5hobjia6vj.wl%tiwai@suse.de> (raw)
In-Reply-To: <20121029174131.GC7580@srcf.ucam.org>
At Mon, 29 Oct 2012 17:41:31 +0000,
Matthew Garrett wrote:
>
> On Mon, Oct 29, 2012 at 08:49:41AM +0100, Jiri Kosina wrote:
> > On Thu, 20 Sep 2012, Matthew Garrett wrote:
> >
> > > This is pretty much identical to the first patchset, but with the capability
> > > renamed (CAP_COMPROMISE_KERNEL) and the kexec patch dropped. If anyone wants
> > > to deploy these then they should disable kexec until support for signed
> > > kexec payloads has been merged.
> >
> > Apparently your patchset currently doesn't handle device firmware loading,
> > nor do you seem to mention in in the comments.
>
> Correct.
>
> > I believe signed firmware loading should be put on plate as well, right?
>
> I think that's definitely something that should be covered. I hadn't
> worried about it immediately as any attack would be limited to machines
> with a specific piece of hardware, and the attacker would need to expend
> a significant amount of reverse engineering work on the firmware - and
> we'd probably benefit from them doing that in the long run...
request_firmware() is used for microcode loading, too, so it's fairly
a core part to cover, I'm afraid.
I played a bit about this yesterday. The patch below is a proof of
concept to (ab)use the module signing mechanism for firmware loading
too. Sign firmware files via scripts/sign-file, and put to
/lib/firmware/signed directory.
It's just a rough cut, and the module options are other pieces there
should be polished better, of course. Also another signature string
should be better for firmware files :)
Takashi
---
diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
index b34b5cd..2bc8415 100644
--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
@@ -145,6 +145,12 @@ config EXTRA_FIRMWARE_DIR
this option you can point it elsewhere, such as /lib/firmware/ or
some other directory containing the firmware files.
+config FIRMWARE_SIG
+ bool "Firmware signature check"
+ depends on FW_LOADER && MODULE_SIG
+ help
+ Check the embedded signature of firmware files like signed modules.
+
config DEBUG_DRIVER
bool "Driver Core verbose debug messages"
depends on DEBUG_KERNEL
diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 8945f4e..81fc8a4 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -268,6 +268,12 @@ static void fw_free_buf(struct firmware_buf *buf)
/* direct firmware loading support */
static const char *fw_path[] = {
+#ifdef CONFIG_FIRMWARE_SIG
+ "/lib/firmware/updates/" UTS_RELEASE "/signed",
+ "/lib/firmware/updates/signed",
+ "/lib/firmware/" UTS_RELEASE "/signed",
+ "/lib/firmware/signed",
+#endif
"/lib/firmware/updates/" UTS_RELEASE,
"/lib/firmware/updates",
"/lib/firmware/" UTS_RELEASE,
@@ -844,6 +850,41 @@ exit:
return fw_priv;
}
+#ifdef CONFIG_FIRMWARE_SIG
+/* XXX */
+extern int mod_verify_sig(const void *mod, unsigned long *_modlen);
+
+static bool sig_enforce;
+module_param(sig_enforce, bool, 0444);
+
+static int firmware_sig_check(struct firmware_buf *buf)
+{
+ unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ long len;
+ int err;
+
+ len = buf->size - markerlen;
+ if (len <= 0 ||
+ memcmp(buf->data + len, MODULE_SIG_STRING, markerlen)) {
+ pr_debug("%s: no signature found\n", buf->fw_id);
+ return sig_enforce ? -ENOKEY : 0;
+ }
+ err = mod_verify_sig(buf->data, &len);
+ if (err < 0) {
+ pr_debug("%s: signature error: %d\n", buf->fw_id, err);
+ return err;
+ }
+ buf->size = len;
+ pr_debug("%s: signature OK!\n", buf->fw_id);
+ return 0;
+}
+#else
+static inline int firmware_sig_check(struct firmware_buf *buf)
+{
+ return 0;
+}
+#endif
+
static int _request_firmware_load(struct firmware_priv *fw_priv, bool uevent,
long timeout)
{
@@ -909,6 +950,9 @@ handle_fw:
if (!buf->size || test_bit(FW_STATUS_ABORT, &buf->status))
retval = -ENOENT;
+ if (!retval)
+ retval = firmware_sig_check(buf);
+
/*
* add firmware name into devres list so that we can auto cache
* and uncache firmware for device.
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index ea1b1df..c39f49b 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -11,6 +11,7 @@
#include <linux/kernel.h>
#include <linux/err.h>
+#include <linux/export.h>
#include <crypto/public_key.h>
#include <crypto/hash.h>
#include <keys/asymmetric-type.h>
@@ -247,3 +248,4 @@ error_put_key:
pr_devel("<==%s() = %d\n", __func__, ret);
return ret;
}
+EXPORT_SYMBOL_GPL(mod_verify_sig);
next prev parent reply other threads:[~2012-10-31 17:28 UTC|newest]
Thread overview: 320+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-20 14:40 [RFC] Second attempt at kernel secure boot support Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 01/10] Secure boot: Add new capability Matthew Garrett
2012-09-28 3:10 ` Serge Hallyn
[not found] ` <1348152065-31353-2-git-send-email-mjg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-10-20 0:15 ` joeyli
2012-10-20 0:15 ` joeyli
2012-10-20 9:02 ` Matt Fleming
2012-09-20 14:40 ` [PATCH V2 02/10] PCI: Lock down BAR access in secure boot environments Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 03/10] x86: Lock down IO port " Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 04/10] ACPI: Limit access to custom_method Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 05/10] asus-wmi: Restrict debugfs interface Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 06/10] Restrict /dev/mem and /dev/kmem in secure boot setups Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode Matthew Garrett
2012-09-20 16:32 ` Greg KH
2012-09-20 17:40 ` Josh Boyer
2012-09-25 13:08 ` [PATCH V3 " Josh Boyer
[not found] ` <20120925130818.GE18546-dHPIJuKSOV01V+h/cAXI7w8O6CCKKCg3HZ5vskTnxNA@public.gmane.org>
2012-10-29 9:00 ` joeyli
2012-10-29 9:00 ` joeyli
2012-10-30 17:48 ` Josh Boyer
2012-10-30 19:27 ` joeyli
2012-09-21 8:20 ` [PATCH V2 " joeyli
2012-09-28 3:20 ` Serge Hallyn
2012-09-20 14:41 ` [PATCH V2 08/10] efi: Enable secure boot lockdown automatically when enabled in firmware Matthew Garrett
2012-09-28 3:21 ` Serge Hallyn
[not found] ` <1348152065-31353-9-git-send-email-mjg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-10-22 13:22 ` Matt Fleming
2012-10-22 13:22 ` Matt Fleming
2012-09-20 14:41 ` [PATCH V2 09/10] acpi: Ignore acpi_rsdp kernel parameter in a secure boot environment Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 10/10] SELinux: define mapping for new Secure Boot capability Matthew Garrett
2012-09-21 22:55 ` [RFC] Second attempt at kernel secure boot support Eric W. Biederman
2012-09-22 15:21 ` Matthew Garrett
[not found] ` <1348152065-31353-1-git-send-email-mjg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-10-29 7:49 ` Jiri Kosina
2012-10-29 7:49 ` Jiri Kosina
[not found] ` <alpine.LRH.2.00.1210290848450.10392-1ReQVI26iDCaZKY3DrU6dA@public.gmane.org>
2012-10-29 17:41 ` Matthew Garrett
2012-10-29 17:41 ` Matthew Garrett
2012-10-31 14:50 ` Jiri Kosina
2012-10-31 14:54 ` Josh Boyer
[not found] ` <CA+5PVA63EHiXbGAox+FmJPvztSj_i7QgnDG8vdj=p0xE+dqgGQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-10-31 14:59 ` Shea Levy
2012-10-31 14:59 ` Shea Levy
2012-10-31 15:55 ` Alan Cox
2012-10-31 15:55 ` Alan Cox
[not found] ` <20121031155503.1aaf4c93-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-10-31 15:55 ` Jiri Kosina
2012-10-31 15:55 ` Jiri Kosina
[not found] ` <alpine.LNX.2.00.1210311653080.12781-ztGlSCb7Y1iN3ZZ/Hiejyg@public.gmane.org>
2012-10-31 17:03 ` Alan Cox
2012-10-31 17:03 ` Alan Cox
[not found] ` <20121031170334.59833fb1-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-10-31 17:01 ` Shea Levy
2012-10-31 17:01 ` Shea Levy
2012-10-31 17:17 ` Alan Cox
2012-10-31 17:10 ` Matthew Garrett
2012-10-31 17:21 ` Alan Cox
[not found] ` <20121031172121.14cc1215-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-10-31 17:17 ` Matthew Garrett
2012-10-31 17:17 ` Matthew Garrett
2012-10-31 17:39 ` Alan Cox
2012-10-31 17:37 ` Matthew Garrett
[not found] ` <20121031173750.GB18615-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-10-31 17:49 ` Alan Cox
2012-10-31 17:49 ` Alan Cox
2012-10-31 17:45 ` Matthew Garrett
2012-10-31 20:14 ` Oliver Neukum
2012-10-31 21:58 ` Chris Friesen
[not found] ` <50919EED.3020601-b7o/lNNmKxtBDgjK7y7TUQ@public.gmane.org>
2012-10-31 22:00 ` Jiri Kosina
2012-10-31 22:00 ` Jiri Kosina
2012-10-31 22:19 ` Oliver Neukum
2012-11-01 9:08 ` James Bottomley
[not found] ` <1351760905.2391.19.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 9:20 ` Jiri Kosina
2012-11-01 9:20 ` Jiri Kosina
[not found] ` <alpine.LNX.2.00.1211011017230.6606-ztGlSCb7Y1iN3ZZ/Hiejyg@public.gmane.org>
2012-11-01 9:38 ` James Bottomley
2012-11-01 9:38 ` James Bottomley
[not found] ` <1351762703.2391.31.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 9:45 ` Jiri Kosina
2012-11-01 9:45 ` Jiri Kosina
2012-11-01 9:59 ` James Bottomley
2012-11-01 10:06 ` Jiri Kosina
[not found] ` <1351763954.2391.37.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 14:29 ` Eric Paris
2012-11-01 14:29 ` Eric Paris
2012-11-01 14:42 ` James Bottomley
[not found] ` <1351780935.2391.58.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 14:49 ` Matthew Garrett
2012-11-01 14:49 ` Matthew Garrett
2012-11-01 15:06 ` James Bottomley
[not found] ` <1351782390.2391.69.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 15:17 ` Eric Paris
2012-11-01 15:17 ` Eric Paris
2012-11-01 16:26 ` Matthew Garrett
2012-11-01 15:06 ` Alan Cox
[not found] ` <20121101150654.19efe0b5-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-01 16:29 ` Matthew Garrett
2012-11-01 16:29 ` Matthew Garrett
2012-11-01 16:40 ` Alan Cox
2012-11-01 14:59 ` Eric Paris
2012-11-01 15:11 ` Alan Cox
[not found] ` <CACLa4pvh3v3Mhq8oe3dzRL8ytBgmitPkCGUSfVCR5WdQopjRMQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-01 15:18 ` James Bottomley
2012-11-01 15:18 ` James Bottomley
[not found] ` <1351783096.2391.77.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 17:50 ` Eric Paris
2012-11-01 17:50 ` Eric Paris
2012-11-01 21:03 ` James Bottomley
2012-11-01 21:06 ` Matthew Garrett
2012-11-01 21:14 ` James Bottomley
2012-11-01 21:18 ` Matthew Garrett
2012-11-01 21:35 ` Alan Cox
2012-11-01 21:31 ` Alan Cox
2012-11-01 21:28 ` Matthew Garrett
[not found] ` <20121101212843.GA20309-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-01 21:37 ` Alan Cox
2012-11-01 21:37 ` Alan Cox
2012-11-01 21:34 ` Matthew Garrett
2012-11-01 21:58 ` Alan Cox
[not found] ` <20121101215817.79e50ec2-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-01 21:57 ` Matthew Garrett
2012-11-01 21:57 ` Matthew Garrett
[not found] ` <20121101215752.GA21154-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-02 8:49 ` Eric W. Biederman
2012-11-02 8:49 ` Eric W. Biederman
2012-11-02 14:00 ` Matthew Garrett
2012-11-02 22:03 ` Eric W. Biederman
[not found] ` <87liejacix.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-02 22:19 ` Chris Friesen
2012-11-02 22:19 ` Chris Friesen
2012-11-02 23:46 ` Alan Cox
2012-11-03 0:23 ` Matthew Garrett
2012-11-03 0:55 ` Alan Cox
2012-11-03 0:20 ` Matthew Garrett
2012-11-03 0:20 ` Matthew Garrett
2012-11-03 0:47 ` Eric W. Biederman
2012-11-03 1:03 ` Alan Cox
2012-11-03 1:03 ` Alan Cox
[not found] ` <87sj8rwm0p.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-03 1:43 ` Matthew Garrett
2012-11-03 1:43 ` Matthew Garrett
2012-11-03 16:31 ` Alan Cox
2012-11-03 16:37 ` Matthew Garrett
2012-11-03 16:37 ` Eric Paris
[not found] ` <CACLa4pt3_Fc5fHKf=ihzV0zDb7zvCyzWp92YLakjGqL7MCaiEA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-03 16:42 ` Matthew Garrett
2012-11-03 16:42 ` Matthew Garrett
2012-11-02 17:19 ` Vivek Goyal
[not found] ` <CACLa4puzLR2om6SHw3wVnfZ1nezVsKOp8+705AdHZ4_=JamYfw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-01 14:46 ` Alan Cox
2012-11-01 14:46 ` Alan Cox
2012-11-01 15:04 ` Eric Paris
2012-11-01 20:27 ` Pavel Machek
2012-11-01 21:02 ` Chris Friesen
[not found] ` <5092E361.7080901-b7o/lNNmKxtBDgjK7y7TUQ@public.gmane.org>
2012-11-02 15:48 ` Vivek Goyal
2012-11-02 15:48 ` Vivek Goyal
[not found] ` <20121102154833.GG3300-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-11-02 16:54 ` Chris Friesen
2012-11-02 16:54 ` Chris Friesen
[not found] ` <5093FADA.2040004-b7o/lNNmKxtBDgjK7y7TUQ@public.gmane.org>
2012-11-02 17:03 ` Vivek Goyal
2012-11-02 17:03 ` Vivek Goyal
2012-11-03 23:09 ` Jiri Kosina
2012-11-03 23:09 ` Jiri Kosina
[not found] ` <alpine.LNX.2.00.1211040008280.24253-ztGlSCb7Y1iN3ZZ/Hiejyg@public.gmane.org>
2012-11-05 6:38 ` Eric W. Biederman
2012-11-05 6:38 ` Eric W. Biederman
[not found] ` <87390ok0zy.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-05 14:40 ` Jiri Kosina
2012-11-05 14:40 ` Jiri Kosina
2012-11-05 15:31 ` Jiri Kosina
2012-11-05 15:37 ` Chris Friesen
2012-11-05 18:22 ` Vivek Goyal
2012-11-02 16:33 ` Pavel Machek
2012-11-02 16:33 ` Pavel Machek
2012-11-02 16:52 ` James Bottomley
[not found] ` <1351875164.2439.42.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-02 16:54 ` Matthew Garrett
2012-11-02 16:54 ` Matthew Garrett
2012-11-02 17:48 ` James Bottomley
2012-11-02 17:54 ` Matthew Garrett
[not found] ` <20121102175416.GA11816-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-02 17:57 ` James Bottomley
2012-11-02 17:57 ` James Bottomley
2012-11-02 18:04 ` Matthew Garrett
[not found] ` <20121102180458.GA12052-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-02 19:18 ` Eric Paris
2012-11-02 19:18 ` Eric Paris
2012-11-02 23:38 ` James Bottomley
2012-11-02 23:38 ` James Bottomley
2012-11-03 0:22 ` Matthew Garrett
2012-11-03 12:03 ` James Bottomley
2012-11-03 13:46 ` Matthew Garrett
[not found] ` <20121103134630.GA28166-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-03 22:56 ` James Bottomley
2012-11-03 22:56 ` James Bottomley
[not found] ` <1351983400.2417.21.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-04 4:28 ` Matthew Garrett
2012-11-04 4:28 ` Matthew Garrett
[not found] ` <20121104042802.GA11295-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-04 9:14 ` James Bottomley
2012-11-04 9:14 ` James Bottomley
2012-11-04 13:52 ` Matthew Garrett
[not found] ` <20121104135251.GA17894-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-05 6:14 ` Eric W. Biederman
2012-11-05 6:14 ` Eric W. Biederman
[not found] ` <87d2zsmv8r.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-05 7:12 ` H. Peter Anvin
2012-11-05 7:12 ` H. Peter Anvin
[not found] ` <509766DB.9090906-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2012-11-05 7:24 ` Eric W. Biederman
2012-11-05 7:24 ` Eric W. Biederman
[not found] ` <87625kh5r2.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-05 7:40 ` H. Peter Anvin
2012-11-05 7:40 ` H. Peter Anvin
2012-11-05 8:50 ` Eric W. Biederman
[not found] ` <87k3u0cu1k.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-05 8:53 ` H. Peter Anvin
2012-11-05 8:53 ` H. Peter Anvin
2012-11-05 12:38 ` Matthew Garrett
2012-11-05 12:38 ` Matthew Garrett
[not found] ` <20121105123858.GB4374-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-05 13:44 ` Alan Cox
2012-11-05 13:44 ` Alan Cox
[not found] ` <20121105134436.08993fd6-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-05 13:46 ` Matthew Garrett
2012-11-05 13:46 ` Matthew Garrett
2012-11-05 19:16 ` Eric W. Biederman
2012-11-05 19:16 ` Eric W. Biederman
[not found] ` <87sj8nc137.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-05 20:25 ` Matthew Garrett
2012-11-05 20:25 ` Matthew Garrett
2012-11-06 2:46 ` Eric W. Biederman
[not found] ` <87hap3zbw7.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-06 3:12 ` Matthew Garrett
2012-11-06 3:12 ` Matthew Garrett
2012-11-06 3:36 ` Eric W. Biederman
2012-11-06 3:53 ` Matthew Garrett
[not found] ` <20121106035352.GA24698-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-06 5:19 ` Eric W. Biederman
2012-11-06 5:19 ` Eric W. Biederman
2012-11-06 5:34 ` Matthew Garrett
2012-11-06 7:56 ` Florian Weimer
2012-11-06 7:56 ` Florian Weimer
[not found] ` <878vafqi5q.fsf-ZqZwdwZz9NfTBotR3TxKnbNAH6kLmebB@public.gmane.org>
2012-11-06 15:14 ` Chris Friesen
2012-11-06 15:14 ` Chris Friesen
2012-11-06 15:19 ` Jiri Kosina
[not found] ` <50992946.4060101-b7o/lNNmKxtBDgjK7y7TUQ@public.gmane.org>
2012-11-06 21:51 ` Florian Weimer
2012-11-06 21:51 ` Florian Weimer
2012-11-06 21:55 ` Matthew Garrett
2012-11-06 22:06 ` Florian Weimer
[not found] ` <87fw4mv11b.fsf-ZqZwdwZz9NfTBotR3TxKnbNAH6kLmebB@public.gmane.org>
2012-11-06 22:31 ` Matthew Garrett
2012-11-06 22:31 ` Matthew Garrett
2012-11-06 22:49 ` Alan Cox
2012-11-06 22:47 ` Matthew Garrett
[not found] ` <CAMFK0gt7oAr4ArD8FmD8QE+i4g4rSTmQjbbLcjs02xwQeXGx-A@mail.gmail.com>
[not found] ` <CAMFK0gt7oAr4ArD8FmD8QE+i4g4rSTmQjbbLcjs02xwQeXGx-A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-07 14:55 ` Matthew Garrett
2012-11-07 14:55 ` Matthew Garrett
2012-11-08 10:18 ` James Courtier-Dutton
[not found] ` <CAAMvbhFF=kb8TJ4oE+40Zrx7HD1OkD0NOYj7QEZegZKGtqDm_A@mail.gmail.com>
[not found] ` <CAAMvbhFF=kb8TJ4oE+40Zrx7HD1OkD0NOYj7QEZegZKGtqDm_A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-08 11:19 ` Alan Cox
2012-11-08 11:19 ` Alan Cox
2012-11-06 9:12 ` Alan Cox
[not found] ` <20121106091217.4a5240f0-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-06 13:17 ` Matthew Garrett
2012-11-06 13:17 ` Matthew Garrett
2012-11-06 8:13 ` Valdis.Kletnieks
2012-11-05 8:20 ` James Bottomley
2012-11-05 8:20 ` James Bottomley
2012-11-05 12:36 ` Matthew Garrett
2012-11-05 12:36 ` Matthew Garrett
2012-11-04 11:53 ` Pavel Machek
2012-11-05 21:25 ` Florian Weimer
2012-11-02 14:55 ` Vivek Goyal
2012-11-01 10:12 ` Oliver Neukum
2012-11-01 10:12 ` Oliver Neukum
2012-10-31 17:21 ` Jiri Kosina
2012-10-31 17:21 ` Jiri Kosina
2012-10-31 15:56 ` Matthew Garrett
[not found] ` <20121031155635.GA14294-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-10-31 17:08 ` Alan Cox
2012-10-31 17:08 ` Alan Cox
2012-10-31 17:08 ` Shea Levy
2012-10-31 16:04 ` Jiri Kosina
2012-10-31 16:04 ` Jiri Kosina
2012-10-31 16:10 ` Josh Boyer
2012-10-31 15:02 ` Matthew Garrett
[not found] ` <20121031150201.GA12394-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-10-31 15:05 ` Shea Levy
2012-10-31 15:05 ` Shea Levy
[not found] ` <50913E24.1010009-yfkUTty7RcRWk0Htik3J/w@public.gmane.org>
2012-10-31 15:09 ` Matthew Garrett
2012-10-31 15:09 ` Matthew Garrett
2012-11-06 12:51 ` Jiri Kosina
2012-11-06 12:51 ` Jiri Kosina
[not found] ` <alpine.LNX.2.00.1211061350100.24253-ztGlSCb7Y1iN3ZZ/Hiejyg@public.gmane.org>
2012-11-06 13:16 ` Matthew Garrett
2012-11-06 13:16 ` Matthew Garrett
2012-11-02 15:30 ` Vivek Goyal
2012-11-02 15:42 ` Matthew Garrett
[not found] ` <20121102154248.GA7681-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-02 15:52 ` Vivek Goyal
2012-11-02 15:52 ` Vivek Goyal
2012-11-02 16:22 ` Jiri Kosina
2012-11-02 18:30 ` Vivek Goyal
2012-11-02 16:35 ` Shuah Khan
[not found] ` <20121029174131.GC7580-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-10-31 17:28 ` Takashi Iwai [this message]
2012-10-31 17:28 ` Takashi Iwai
[not found] ` <s5hobjia6vj.wl%tiwai-l3A5Bk7waGM@public.gmane.org>
2012-10-31 17:37 ` Matthew Garrett
2012-10-31 17:37 ` Matthew Garrett
2012-10-31 17:44 ` Alan Cox
2012-10-31 17:44 ` Matthew Garrett
2012-10-31 18:53 ` Takashi Iwai
2012-11-01 4:21 ` joeyli
2012-11-01 4:21 ` joeyli
[not found] ` <1351743715.21227.95.camel-ONCj+Eqt86TasUa73XJKwA@public.gmane.org>
2012-11-01 13:18 ` Alan Cox
2012-11-01 13:18 ` Alan Cox
[not found] ` <20121101131849.752df6fd-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-05 17:13 ` Takashi Iwai
2012-11-05 17:13 ` Takashi Iwai
2012-11-05 17:18 ` [PATCH RFC 0/4] Add firmware signature file check Takashi Iwai
2012-11-05 17:19 ` [PATCH RFC 1/4] scripts/sign-file: Allow specifying hash algorithm via -a option Takashi Iwai
2012-11-05 17:19 ` Takashi Iwai
2012-11-05 17:19 ` [PATCH RFC 2/4] scripts/sign-file: Support firmware signing Takashi Iwai
2012-11-05 17:20 ` [PATCH RFC 3/4] firmware: Add a signature check Takashi Iwai
2012-11-06 6:03 ` Mimi Zohar
2012-11-05 17:20 ` [PATCH RFC 4/4] firmware: Install signature files automatically Takashi Iwai
2012-11-05 18:12 ` [PATCH RFC 0/4] Add firmware signature file check Takashi Iwai
[not found] ` <s5hhap49den.wl%tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-05 20:43 ` Josh Boyer
2012-11-05 20:43 ` Josh Boyer
2012-11-06 6:46 ` Takashi Iwai
2012-11-06 9:20 ` Alan Cox
2012-11-06 10:05 ` Takashi Iwai
2012-11-06 0:01 ` David Howells
2012-11-06 0:01 ` David Howells
2012-11-06 0:05 ` David Howells
[not found] ` <5839.1352160112-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2012-11-06 7:01 ` Takashi Iwai
2012-11-06 7:01 ` Takashi Iwai
2012-11-06 2:30 ` Ming Lei
2012-11-06 5:46 ` lee joey
[not found] ` <CACVXFVN8qPTgiYKXaeKFJXLXMjLE=+=8Vev2otD3v1VMk+Ez_w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-06 7:03 ` Takashi Iwai
2012-11-06 7:03 ` Takashi Iwai
2012-11-06 7:16 ` Ming Lei
2012-11-06 7:32 ` Takashi Iwai
[not found] ` <s5h4nl3i3u6.wl%tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-06 8:04 ` Ming Lei
2012-11-06 8:04 ` Ming Lei
2012-11-06 8:18 ` Takashi Iwai
2012-11-06 10:04 ` Ming Lei
2012-11-06 10:17 ` Takashi Iwai
2012-11-06 10:17 ` Takashi Iwai
[not found] ` <s5h4nl39gt9.wl%tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-06 10:40 ` Ming Lei
2012-11-06 10:40 ` Ming Lei
2012-11-06 10:53 ` Takashi Iwai
2012-11-06 10:53 ` Takashi Iwai
2012-11-06 11:03 ` Ming Lei
2012-11-06 11:15 ` Alan Cox
[not found] ` <CAGB3EUTrSMDhja9Gu3h7nuZX+H2_owp8MnUNwbZuCW=_GuawqQ@mail.gmail.com>
[not found] ` <CAGB3EUTrSMDhja9Gu3h7nuZX+H2_owp8MnUNwbZuCW=_GuawqQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-06 7:06 ` Takashi Iwai
2012-11-06 7:06 ` Takashi Iwai
2012-11-06 7:30 ` Ming Lei
2012-11-08 17:35 ` [PATCH RFC v2 " Takashi Iwai
2012-11-08 17:35 ` [PATCH RFC v2 1/4] firmware: Add the firmware signing support to scripts/sign-file Takashi Iwai
2012-11-23 6:51 ` joeyli
2012-11-23 6:51 ` joeyli
2012-11-08 17:35 ` [PATCH RFC v2 2/4] firmware: Add -a option " Takashi Iwai
[not found] ` <1352396109-3989-3-git-send-email-tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-23 6:51 ` joeyli
2012-11-23 6:51 ` joeyli
2012-11-08 17:35 ` [PATCH RFC v2 3/4] firmware: Add support for signature checks Takashi Iwai
[not found] ` <1352396109-3989-4-git-send-email-tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-23 6:56 ` joeyli
2012-11-23 6:56 ` joeyli
2012-11-23 7:34 ` Takashi Iwai
2012-11-23 7:34 ` Takashi Iwai
[not found] ` <1352396109-3989-1-git-send-email-tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-08 17:35 ` [PATCH RFC v2 4/4] firmware: Install firmware signature files automatically Takashi Iwai
2012-11-08 17:35 ` Takashi Iwai
[not found] ` <1352396109-3989-5-git-send-email-tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-23 6:52 ` joeyli
2012-11-23 6:52 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s5hobjia6vj.wl%tiwai@suse.de \
--to=tiwai-l3a5bk7wagm@public.gmane.org \
--cc=jkosina-AlSwsSmVLrQ@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mjg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.