Comment 10 for bug 1536871

Thanks Mario, very helpful. I've found something else that worries me:

The Linux Vendor Firmware Service re-packs a cab with a firmware, a detached signature, and some metadata. An example is at [1].

I haven't yet been able to find any chain of trust from a key to the cabfile to download. If the appstream data with firmware update information is published alongside e.g. the distribution's DEP-11 data, then APT will provide this via the /etc/apt/apt.conf.d/50appstream configuration file. (Or similar file.)

If the cabfile metadata comes from [2] then I haven't yet found a way to verify this file or its recentness.

The detached signature in the cab file is not sufficient:
- A malicious entity may find a bug in the cab extraction process and exploit the extraction phase, bypassing the signature entirely.
- A malicious entity may manipulate the metadata file at will.
- A malicious entity may copy-and-paste the signature and firmware files from cab to cab.
- A malicious entity could supply an old, known-problematic, but previously valid cab, unchanged.

I'll continue investigating but wanted to share my concerns before starting a long weekend.

Thanks

1: https://secure-lvfs.rhcloud.com/downloads/90bb8877b5e8a4e4a5a0ce56af37dc4be7cf0ae8-firmware_9550_5510.cab
2: https://secure-lvfs.rhcloud.com/downloads/firmware.xml.gz