Thanks Mario, very helpful. I've found something else that worries me:
The Linux Vendor Firmware Service re-packs a cab with a firmware, a detached signature, and some metadata. An example is at [1].
I haven't yet been able to find any chain of trust from a key to the cabfile to download. If the appstream data with firmware update information is published alongside e.g. the distribution's DEP-11 data, then APT will provide this via the /etc/apt/apt.conf.d/50appstream configuration file. (Or similar file.)
If the cabfile metadata comes from [2] then I haven't yet found a way to verify this file or its recentness.
The detached signature in the cab file is not sufficient:
- A malicious entity may find a bug in the cab extraction process and exploit the extraction phase, bypassing the signature entirely.
- A malicious entity may manipulate the metadata file at will.
- A malicious entity may copy-and-paste the signature and firmware files from cab to cab.
- A malicious entity could supply an old, known-problematic, but previously valid cab, unchanged.
I'll continue investigating but wanted to share my concerns before starting a long weekend.
Thanks Mario, very helpful. I've found something else that worries me:
The Linux Vendor Firmware Service re-packs a cab with a firmware, a detached signature, and some metadata. An example is at [1].
I haven't yet been able to find any chain of trust from a key to the cabfile to download. If the appstream data with firmware update information is published alongside e.g. the distribution's DEP-11 data, then APT will provide this via the /etc/apt/ apt.conf. d/50appstream configuration file. (Or similar file.)
If the cabfile metadata comes from [2] then I haven't yet found a way to verify this file or its recentness.
The detached signature in the cab file is not sufficient:
- A malicious entity may find a bug in the cab extraction process and exploit the extraction phase, bypassing the signature entirely.
- A malicious entity may manipulate the metadata file at will.
- A malicious entity may copy-and-paste the signature and firmware files from cab to cab.
- A malicious entity could supply an old, known-problematic, but previously valid cab, unchanged.
I'll continue investigating but wanted to share my concerns before starting a long weekend.
Thanks
1: https:/ /secure- lvfs.rhcloud. com/downloads/ 90bb8877b5e8a4e 4a5a0ce56af37dc 4be7cf0ae8- firmware_ 9550_5510. cab /secure- lvfs.rhcloud. com/downloads/ firmware. xml.gz
2: https:/