I was just trying out the fw_update program on OpenBSD 6.5, deleting/
installing all the firmware and was wondering if fw_update will verify
the files before installing?

There is a SHA256.sig in the remote firmware directory, but no
indication from fw_update, even with verbose output, if this is
actually used.

After looking at the source and manpage of fw_update, it was still not
clear to me if files are checked against SHA256.sig. For syspatch, it's
easy to tell from both source, manpage and program output.

Normally I would just assume that fetched files are verified, but maybe
in the case with fw_update, the rationale is that firmware files are
binary blobs so we can't know if they are malicious anyway, therefore
no reason to bother with verification.

As firmware is fetched over plain HTTP, I guess that in case of no
verification it would in theory make the system vulnerable to a MITM
attack, but I'm no expert.

Mogens Jensen

Reply via email to