On Wed, 2017-11-22 at 19:58 +0100, Luis R. Rodriguez wrote: > I've frankly have grown tired of pushing firmware signing just for the sake of > the fact that I needed it for cfg80211, but now that its out of the way and > we open coded it, its no longer a requirement on my part.
As the keys CFG80211_REQUIRE_SIGNED_REGDB are built into the kernel image, they would be included in the kernel image signature. As I previously asked https://lkml.org/lkml/2017/11/15/679, how are the keys located in the CFG80211_EXTRA_REGDB_KEYDIR keyring trusted? The keyring does not validate the certificate signatures, before loading the keys on the firmware keyring. It explicitly bypasses the certificate signature validation. Mimi
