On Tue, Nov 14, 2017 at 3:18 PM, Linus Torvalds <torva...@linux-foundation.org> wrote: > On Tue, Nov 14, 2017 at 11:58 AM, Matthew Garrett <mj...@google.com> wrote: >> >> Our ability to determine that userland hasn't been tampered with >> depends on the kernel being trustworthy. If userland can upload >> arbitrary firmware to DMA-capable devices then we can no longer trust >> the kernel. So yes, firmware is special. > > You're ignoring the whole "firmware is already signed by the hardware > manufacturer and we don't even have access to it" part.
Firmware is sometimes signed by the hardware manufacturer. There's plenty of hardware that accepts unsigned firmware. > You're also ignoring the fact that we can't trust firmware _anyway_, > as Alan pointed out. Yeah, for arbitrary devices. There are cases where security has been well audited, and it's viable to build systems where that's the configuration you're running. > Seriously. Some of the worst security issues have been with exactly > the fact that we can't trust the hardware to begin with, where > firmware/hardware combinations are not trusted to begin with. You're right. But by that argument we might as well give up on *all* security work - there's no way we can prove that a set of unprivileged instructions won't backdoor a system. > This is all theoretical security masturbation. The _real_ attacks have > been elsewhere. People made the same argument about Secure Boot, and then we discovered that people *were* attacking the boot chain. As we secure other components, the attackers move elsewhere. This is an attempt to block off an avenue of attack before it's abused.
