On Mon, 9 Dec 2024 14:14:50 +0100 Martyna Szapar-Mudlaw wrote: > Proposed design > > New command, `devlink dev lock-firmware` (or `devlink dev guard-firmware`), > will be added to devlink API. Implementation in devlink will be simple > and generic, with no predefined operations, offering flexibility for drivers > to define the firmware locking mechanism appropriate to the hardware's > capabilities and security requirements. Running this command will allow > ice driver to ensure firmware with lower security value downgrades are > prevented. > > Add also changes to Intel ice driver to display security values > via devlink dev info command running and set minimum. Also implement > lock-firmware devlink op callback in ice driver to update firmware > minimum security revision value.
devlink doesn't have a suitable security model. I don't think we should be adding hacks since we're not security experts and standards like SPDM exist. I understand that customers ask for this but "security" is not a checkbox, the whole certificate and version management is necessary.
