On Tue, Nov 14, 2017 at 3:50 PM, Luis R. Rodriguez <[email protected]> wrote: > On Tue, Nov 14, 2017 at 12:18:54PM -0800, Linus Torvalds wrote: >> This is all theoretical security masturbation. The _real_ attacks have >> been elsewhere. > > In my research on this front I'll have to agree with this, in terms of > justification and there are only *two* arguments which I've so far have found > to justify firmware signing: > > a) If you want signed modules, you therefore should want signed firmware. > This however seems to be solved by using trusted boot thing, given it > seems trusted boot requires having firmware be signed as well. (Docs > would be useful to get about where in the specs this is mandated, > anyone?). Are there platforms that don't have trusted boot or for which > they don't enforce hardware checking for signed firmware for which > we still want to support firmware signing for? Are there platforms > that require and use module signing but don't and won't have a trusted > boot of some sort? Do we care?
TPM-backed Trusted Boot means you don't /need/ to sign anything, since the measurements of what you loaded will end up in the TPM. But signatures make it a lot easier, since you can just assert that only signed material will be loaded and so you only need to measure the kernel and the trusted keys.
