Thanks Mario, very helpful. I've found something else that worries me: The Linux Vendor Firmware Service re-packs a cab with a firmware, a detached signature, and some metadata. An example is at [1].
I haven't yet been able to find any chain of trust from a key to the cabfile to download. If the appstream data with firmware update information is published alongside e.g. the distribution's DEP-11 data, then APT will provide this via the /etc/apt/apt.conf.d/50appstream configuration file. (Or similar file.) If the cabfile metadata comes from [2] then I haven't yet found a way to verify this file or its recentness. The detached signature in the cab file is not sufficient: - A malicious entity may find a bug in the cab extraction process and exploit the extraction phase, bypassing the signature entirely. - A malicious entity may manipulate the metadata file at will. - A malicious entity may copy-and-paste the signature and firmware files from cab to cab. - A malicious entity could supply an old, known-problematic, but previously valid cab, unchanged. I'll continue investigating but wanted to share my concerns before starting a long weekend. Thanks 1: https://secure-lvfs.rhcloud.com/downloads/90bb8877b5e8a4e4a5a0ce56af37dc4be7cf0ae8-firmware_9550_5510.cab 2: https://secure-lvfs.rhcloud.com/downloads/firmware.xml.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1536871/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
