Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp549084imm; Tue, 15 May 2018 05:46:40 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpuexvcQwBVlEr6cw8GqS0Me52cFIW0er1wDnyYRRZw/DhrnJMj50GIIFUhI5z2eNMVu1VJ X-Received: by 2002:a62:c485:: with SMTP id h5-v6mr15249863pfk.86.1526388400283; Tue, 15 May 2018 05:46:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526388400; cv=none; d=google.com; s=arc-20160816; b=HrIhVvZReMOGU8/OTnwnficp8MthznmYTjwBDYFntWJhrZqBF/a+AidqPZaGLgicwj QIBHLV312N8+xxhN0UiLtPemMPmpkKghjUKtnPDBRO9WSetZztxAnqE7dKEPlLdE5+3T XxhHoLuQdl+6ka0rwenQaRCfFFhvOuDVYZlDulyOMeNRC7vU1QojTtxbdHg1vS08r3oR gs7peWUS6OOzpTINIJ/lSqOLDzBQ/1HcTFuJPoDRyicKoLfDQd85rHK67WgCFWIoBriH eDSAexs9PFxpOKUoFWGkYki2CMK0JRxB83NJ7QjqfIMUPi3wNWyYkLcJGQfO2yC6q6D2 kjmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=Q+BJR1i7qyAeRBGv1YZRu8d9xqbb1KQofr0r4zZUSGI=; b=CCmHf29Eb2F+g+kyAaX/qiwBN64U90qIHcgY38CZGYvvbYn6I+WaolSv+hiC5ozmXk KZIxbtx2fTLB6FC+esO8/BoZDy9r2YSiwxYBRRGWVyIFOowdolyJurra8nk7dafehEuE 2KmpNoccIpCQoRYSQUglEiCbdFafG3fV7c9xIu2Pjs9sMjC3rHjCh+D2JxwgLYrMmeUC WbuuEhbEJZTlwmdchWFl6aTozQtAxMY8TC/EXIg/RRrpAatHm36s23yuaZ+9MNBtysq6 yoyI2gwp9p7gSCqNP/nhXh+WSkKkSw5veCdk860rsQTm5ReQKoV2I3KRG+Mz2YGIm2Sq WYnw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r16-v6si9865243pgu.219.2018.05.15.05.46.26; Tue, 15 May 2018 05:46:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752318AbeEOMoQ (ORCPT + 99 others); Tue, 15 May 2018 08:44:16 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52650 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752227AbeEOMoJ (ORCPT ); Tue, 15 May 2018 08:44:09 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4FCdiBj056104 for ; Tue, 15 May 2018 08:44:09 -0400 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0a-001b2d01.pphosted.com with ESMTP id 2hywyxw760-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 15 May 2018 08:44:08 -0400 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 15 May 2018 13:44:04 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 15 May 2018 13:43:55 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4FChs915702142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 15 May 2018 12:43:54 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4CF3911C04C; Tue, 15 May 2018 13:35:11 +0100 (BST) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 929CF11C052; Tue, 15 May 2018 13:35:07 +0100 (BST) Received: from localhost.localdomain (unknown [9.80.107.234]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 15 May 2018 13:35:07 +0100 (BST) Subject: Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware From: Mimi Zohar To: Josh Boyer , mcgrof@kernel.org Cc: Harald Hoyer , Hannes Reinecke , Johannes Thumshirn , "Eric W. Biederman" , Casey Schaufler , ast@kernel.org, David Miller , jeyu@kernel.org, Alexander Viro , One Thousand Gnomes , Matthew Garrett , Peter Jones , takahiro.akashi@linaro.org, David Howells , Linux Wireless , Kalle Valo , Seth Forshee , johannes.berg@intel.com, linux-integrity@vger.kernel.org, Hans de Goede , Ard Biesheuvel , linux-security-module , "Linux-Kernel@Vger. Kernel. Org" , Kees Cook , Greg KH , andresx7@gmail.com, Linus Torvalds , luto@kernel.org, Justin Forbes , Laura Abbott Date: Tue, 15 May 2018 08:43:39 -0400 In-Reply-To: References: <20180509212212.GX27853@wotan.suse.de> <1525903617.3551.281.camel@linux.vnet.ibm.com> <20180509234814.GY27853@wotan.suse.de> <1525917658.3551.322.camel@linux.vnet.ibm.com> <20180510232639.GF27853@wotan.suse.de> <1526014826.3414.46.camel@linux.vnet.ibm.com> <20180511215250.GJ27853@wotan.suse.de> <1526302692.3898.145.camel@linux.vnet.ibm.com> <20180514192853.GM27853@wotan.suse.de> <1526349751.3937.78.camel@linux.vnet.ibm.com> <20180515032656.GR27853@wotan.suse.de> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18051512-0008-0000-0000-000004F6AD70 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18051512-0009-0000-0000-00001E8B1354 Message-Id: <1526388219.3937.137.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-15_03:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805150131 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2018-05-15 at 08:32 -0400, Josh Boyer wrote: > One aspect that was always a concern to some is whether the firmware files > were modified directly to have the signature attached to them. That may > run afoul of the "no modification" license that most blobs are shipped > under. Does IMA have the signatures for the files stored in xattrs or in > some other detached manner? They're stored as xattrs.  RPM has support for including file signatures in the RPM header. Mimi