於 二，2013-01-15 於 23:55 -0800，Greg KH 提到：
On Wed, Jan 16, 2013 at 03:44:02PM +0800, joeyli
於 二，2013-01-15 於 23:10 -0800，Greg KH 提到：
On Wed, Jan 16, 2013 at 02:49:34PM +0800, Lee,
Patch-mainline: Not yet, reviewing (contributed
Target: openSUSE 12.3
Why do we want to add this feature to 12.3 when it isn't needed by
anyone? And it's not accepted upstream either.
The purpose of this patch set is for sign driver firmware to avoid
attacker change the firmware to attack system. Takashi sent patches to
upstream for ask other experts' thinking.
But, yes, upstream didn't accept it until now.
Now? I don't see them in Linus's tree, do you?
Sorry for it's my fault, upstream did NOT accept those patches.
And all firmware should already be signed, you are trying to extend the
chain-of-trust to a different processor on the system, which is _way_
beyond what UEFI is asking for, and beyond anything that anyone has ever
I really don't think these are necessary, does anyone else?
The driver firmware sign function dependent on kernel modules sign
enabled. So, it's extend the kernel modules sign function in kernel.
Like kernel module sign, this function doesn't depend to UEFI secure
boot enabled, anyone can enable it on non-UEFI machine.
Of course from secure boot view point...
Do the driver firmware sign is for avoid attack against to firmware then
causes Microsoft revoke our signature.
Thanks a lot!
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org