[Intel-wired-lan] [RFC 0/1] Proposal for new devlink command to enforce firmware security
Jakub Kicinski
kuba at kernel.org
Mon Dec 9 23:36:00 UTC 2024
On Mon, 9 Dec 2024 14:14:50 +0100 Martyna Szapar-Mudlaw wrote:
> Proposed design
>
> New command, `devlink dev lock-firmware` (or `devlink dev guard-firmware`),
> will be added to devlink API. Implementation in devlink will be simple
> and generic, with no predefined operations, offering flexibility for drivers
> to define the firmware locking mechanism appropriate to the hardware's
> capabilities and security requirements. Running this command will allow
> ice driver to ensure firmware with lower security value downgrades are
> prevented.
>
> Add also changes to Intel ice driver to display security values
> via devlink dev info command running and set minimum. Also implement
> lock-firmware devlink op callback in ice driver to update firmware
> minimum security revision value.
devlink doesn't have a suitable security model. I don't think we should
be adding hacks since we're not security experts and standards like SPDM
exist.
I understand that customers ask for this but "security" is not a
checkbox, the whole certificate and version management is necessary.
More information about the Intel-wired-lan
mailing list