於 二,2013-01-15 於 23:55 -0800,Greg KH 提到:
On Wed, Jan 16, 2013 at 03:44:02PM +0800, joeyli wrote:
於 二,2013-01-15 於 23:10 -0800,Greg KH 提到:
On Wed, Jan 16, 2013 at 02:49:34PM +0800, Lee, Chun-Yi wrote:
Patch-mainline: Not yet, reviewing (contributed by Takashi) Target: openSUSE 12.3
Why do we want to add this feature to 12.3 when it isn't needed by anyone? And it's not accepted upstream either.
thanks,
greg k-h
The purpose of this patch set is for sign driver firmware to avoid attacker change the firmware to attack system. Takashi sent patches to upstream for ask other experts' thinking.
But, yes, upstream didn't accept it until now.
Now? I don't see them in Linus's tree, do you?
Sorry for it's my fault, upstream did NOT accept those patches.
And all firmware should already be signed, you are trying to extend the chain-of-trust to a different processor on the system, which is _way_ beyond what UEFI is asking for, and beyond anything that anyone has ever suggested.
I really don't think these are necessary, does anyone else?
greg k-h
The driver firmware sign function dependent on kernel modules sign enabled. So, it's extend the kernel modules sign function in kernel. Like kernel module sign, this function doesn't depend to UEFI secure boot enabled, anyone can enable it on non-UEFI machine. Of course from secure boot view point... Do the driver firmware sign is for avoid attack against to firmware then causes Microsoft revoke our signature. Thanks a lot! Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org