From: Eric Biggers <ebiggers@kernel.org>
To: David Howells <dhowells@redhat.com>
Cc: =?UTF-8?q?Mihai-Drosi=20C=C3=A2ju?= <mcaju95@gmail.com>,
linux@weissschuh.net, arnd@arndb.de, arnout@bzzt.net,
atomlin@atomlin.com, bigeasy@linutronix.de, chleroy@kernel.org,
christian@heusel.eu, corbet@lwn.net, coxu@redhat.com,
da.gomez@kernel.org, da.gomez@samsung.com,
dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com,
f.gruenbichler@proxmox.com, jmorris@namei.org,
kpcyrd@archlinux.org, linux-arch@vger.kernel.org,
linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-modules@vger.kernel.org,
linux-security-module@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, lkp@intel.com,
maddy@linux.ibm.com, mattia@mapreri.org, mcgrof@kernel.org,
mpe@ellerman.id.au, nathan@kernel.org, naveen@kernel.org,
nicolas.bouchinet@oss.cyber.gouv.fr, nicolas.schier@linux.dev,
npiggin@gmail.com, nsc@kernel.org, paul@paul-moore.com,
petr.pavlu@suse.com, roberto.sassu@huawei.com,
samitolvanen@google.com, serge@hallyn.com,
xiujianfeng@huawei.com, zohar@linux.ibm.com
Subject: Re: [PATCH v4 00/17] module: Introduce hash-based integrity checking
Date: Sun, 1 Feb 2026 12:12:18 -0800 [thread overview]
Message-ID: <20260201201218.GA15755@quark> (raw)
In-Reply-To: <2316630.1769965788@warthog.procyon.org.uk>
On Sun, Feb 01, 2026 at 05:09:48PM +0000, David Howells wrote:
> Mihai-Drosi Câju <mcaju95@gmail.com> wrote:
>
> > > The current signature-based module integrity checking has some drawbacks
> > in combination with reproducible builds. Either the module signing key
> > is generated at build time, which makes the build unreproducible, or a
> > static signing key is used, which precludes rebuilds by third parties
> > and makes the whole build and packaging process much more complicated.
>
> There is another issue too: If you have a static private key that you use to
> sign modules (and probably other things), someone will likely give you a GPL
> request to get it.
>
> One advantage of using a transient key every build and deleting it after is
> that no one has the key.
>
> One other thing to remember: security is *meant* to get in the way. That's
> the whole point of it.
>
> However, IANAL.
>
> David
It sounds like hash-based module authentication is just better, then.
If the full set of authentic modules is known at kernel build time, then
signatures are unnecessary to verify their authenticity: a list of
hashes built into the kernel image is perfectly sufficient.
(This patchset actually gets a little fancy and makes it a Merkle tree
root. But it could be simplified to just a list of hashes.)
With that being the case, why is there still effort being put into
adding more features to module signing? I would think efforts should be
focused on hash-based module authentication, i.e. this patchset.
- Eric
next prev parent reply other threads:[~2026-02-01 20:12 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-13 12:28 [PATCH v4 00/17] module: Introduce hash-based integrity checking Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 01/17] module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 02/17] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Thomas Weißschuh
2026-01-30 20:43 ` Aaron Tomlin
2026-02-06 8:25 ` Nicolas Schier
2026-03-10 21:11 ` Eric Biggers
2026-01-13 12:28 ` [PATCH v4 03/17] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Thomas Weißschuh
2026-01-30 20:49 ` Aaron Tomlin
2026-02-06 8:25 ` Nicolas Schier
2026-03-10 21:11 ` Eric Biggers
2026-01-13 12:28 ` [PATCH v4 04/17] module: Make mod_verify_sig() static Thomas Weißschuh
2026-01-30 20:53 ` Aaron Tomlin
2026-02-06 8:25 ` Nicolas Schier
2026-03-10 21:12 ` Eric Biggers
2026-01-13 12:28 ` [PATCH v4 05/17] module: Switch load_info::len to size_t Thomas Weißschuh
2026-02-06 8:18 ` David Howells
2026-02-06 8:34 ` Thomas Weißschuh
2026-02-06 8:30 ` Nicolas Schier
2026-02-06 8:38 ` Thomas Weißschuh
2026-02-06 8:55 ` Nicolas Schier
2026-02-06 9:09 ` Christophe Leroy (CS GROUP)
2026-02-06 9:18 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 06/17] kbuild: add stamp file for vmlinux BTF data Thomas Weißschuh
2026-02-06 16:28 ` Nicolas Schier
2026-03-10 21:36 ` Eric Biggers
2026-03-11 12:58 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 07/17] kbuild: generate module BTF based on vmlinux.unstripped Thomas Weißschuh
2026-02-06 16:37 ` Nicolas Schier
2026-02-20 9:29 ` Fwd: " Thomas Weißschuh
2026-02-20 16:55 ` Ihor Solodrai
2026-02-23 7:40 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 08/17] module: Deduplicate signature extraction Thomas Weißschuh
2026-01-27 15:20 ` Petr Pavlu
2026-02-03 12:41 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 09/17] module: Make module loading policy usable without MODULE_SIG Thomas Weißschuh
2026-03-10 22:01 ` Eric Biggers
2026-03-11 12:59 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 10/17] module: Move integrity checks into dedicated function Thomas Weißschuh
2026-02-13 15:09 ` Nicolas Schier
2026-03-10 22:06 ` Eric Biggers
2026-01-13 12:28 ` [PATCH v4 11/17] module: Move lockdown check into generic module loader Thomas Weißschuh
2026-02-13 15:14 ` Nicolas Schier
2026-01-13 12:28 ` [PATCH v4 12/17] module: Move signature splitting up Thomas Weißschuh
2026-01-29 14:41 ` Petr Pavlu
2026-02-03 12:42 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 13/17] module: Report signature type to users Thomas Weißschuh
2026-01-29 14:44 ` Petr Pavlu
2026-02-03 12:44 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 14/17] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2026-02-13 15:32 ` Nicolas Schier
2026-01-13 12:28 ` [PATCH v4 15/17] module: Introduce hash-based integrity checking Thomas Weißschuh
2026-01-13 14:56 ` Sebastian Andrzej Siewior
2026-01-30 17:06 ` Petr Pavlu
2026-02-03 12:55 ` Thomas Weißschuh
2026-02-06 17:12 ` Nicolas Schier
2026-02-19 14:27 ` Nicolas Schier
2026-02-03 12:19 ` Petr Pavlu
2026-02-03 12:59 ` Thomas Weißschuh
2026-03-11 1:18 ` Eric Biggers
2026-02-21 21:38 ` Nicolas Schier
2026-02-23 7:53 ` Thomas Weißschuh
2026-02-23 18:41 ` Nicolas Schier
2026-02-23 21:43 ` Thomas Weißschuh
2026-02-24 16:14 ` Nicolas Schier
2026-03-11 1:12 ` Eric Biggers
2026-03-11 8:50 ` Sebastian Andrzej Siewior
2026-03-11 13:19 ` Thomas Weißschuh
2026-03-11 21:14 ` Eric Biggers
2026-01-13 12:29 ` [PATCH v4 16/17] kbuild: move handling of module stripping to Makefile.lib Thomas Weißschuh
2026-01-13 12:29 ` [PATCH v4 17/17] kbuild: make CONFIG_MODULE_HASHES compatible with module stripping Thomas Weißschuh
2026-01-31 7:36 ` [PATCH v4 00/17] module: Introduce hash-based integrity checking Mihai-Drosi Câju
2026-02-01 16:22 ` Thomas Weißschuh
2026-02-01 17:09 ` David Howells
2026-02-01 20:12 ` Eric Biggers [this message]
2026-02-02 9:21 ` David Howells
2026-02-02 18:30 ` Eric Biggers
2026-02-02 18:38 ` David Howells
2026-02-02 18:47 ` Eric Biggers
2026-02-03 8:18 ` James Bottomley
2026-02-03 8:22 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260201201218.GA15755@quark \
--to=ebiggers@kernel.org \
--cc=arnd@arndb.de \
--cc=arnout@bzzt.net \
--cc=atomlin@atomlin.com \
--cc=bigeasy@linutronix.de \
--cc=chleroy@kernel.org \
--cc=christian@heusel.eu \
--cc=corbet@lwn.net \
--cc=coxu@redhat.com \
--cc=da.gomez@kernel.org \
--cc=da.gomez@samsung.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=f.gruenbichler@proxmox.com \
--cc=jmorris@namei.org \
--cc=kpcyrd@archlinux.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lkp@intel.com \
--cc=maddy@linux.ibm.com \
--cc=mattia@mapreri.org \
--cc=mcaju95@gmail.com \
--cc=mcgrof@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nathan@kernel.org \
--cc=naveen@kernel.org \
--cc=nicolas.bouchinet@oss.cyber.gouv.fr \
--cc=nicolas.schier@linux.dev \
--cc=npiggin@gmail.com \
--cc=nsc@kernel.org \
--cc=paul@paul-moore.com \
--cc=petr.pavlu@suse.com \
--cc=roberto.sassu@huawei.com \
--cc=samitolvanen@google.com \
--cc=serge@hallyn.com \
--cc=xiujianfeng@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.