On Wed, Jan 16, 2013 at 10:09:29AM +0100, Oliver Neukum wrote:
On Tuesday 15 January 2013 23:55:02 Greg KH wrote:
And all firmware should already be signed, you
are trying to extend the
chain-of-trust to a different processor on the system, which is _way_
beyond what UEFI is asking for, and beyond anything that anyone has ever
I really don't think these are necessary, does anyone else?
They are necessary. In terms of hardware most PCI devices are capable
of writing into RAM whereever they want to. Therefore the ability to load altered
firmware into a device is equivalent to the ability to alter RAM at will.
Again, this has nothing to do with UEFI or anything else. I understand
the wish to feel "better" about signing firmware, but this isn't
something that is required by anyone.
Also, watch out, some firmware files don't allow you to "modify" them,
so the signatures need to be kept elsewhere, hopefully this patchset
And this seems like a pretty late feature that isn't accepted upstream,
why add it to openSUSE given that there doesn't seem to be a requirement
by anyone for this?
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org