From: Michael Ellerman <mpe@ellerman.id.au>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
Kees Cook <keescook@chromium.org>
Cc: Vegard Nossum <vegard.nossum@oracle.com>,
"H. Peter Anvin" <hpa@zytor.com>,
"tech-board-discuss@lists.linuxfoundation.org"
<tech-board-discuss@lists.linuxfoundation.org>,
Theodore Ts'o <tytso@mit.edu>
Subject: Re: xz meltdown/Lasse Collin
Date: Thu, 18 Apr 2024 15:20:54 +1000 [thread overview]
Message-ID: <87bk67b615.fsf@mail.lhotse> (raw)
In-Reply-To: <36ddf01707ddf51d4587ff80871dd4d4ac9d6c38.camel@HansenPartnership.com>
James Bottomley <James.Bottomley@HansenPartnership.com> writes:
> On Mon, 2024-04-15 at 11:00 -0700, Kees Cook wrote:
>> On Sun, Apr 14, 2024 at 10:45:30AM -0400, James Bottomley wrote:
>> > On Sun, 2024-04-14 at 12:21 +0200, Vegard Nossum wrote:
>> > > On 13/04/2024 15:16, James Bottomley wrote:
>> > > > 2. We need better build artifact transparency generally but
>> > > > I think the kernel is fine here: we still use make so don't
>> > > > have the huge build artifact issue that allowed the exploit in
>> > > > and we have a documented signing process for our build
>> > > > artifacts (kernel tarballs).
>> > > > 3. The indirect library dependency problem doesn't apply to
>> > > > us.
>> > >
>> > > While this is technically true, there are many other ways to
>> > > compromise the kernel build process:
>> >
>> > #define injection and environmental injection have to be done on
>> > the build system (I mean so did the xz payload injection but it
>> > found a carrier in the autoconf files). We're getting better at
>> > hermetic builds and other things that make direct build system
>> > tampering more difficult to pull off. Hopefully, one day soon,
>> > we'll get to reproduceable builds that someone outside the distro
>> > will be able to check every distro binary ... and that would pick
>> > up almost any type of build system injection attack.
>>
>> The kernel has worked fine for years with regard to reproducible
>> builds[1]. I regularly inter-build binary comparisons[2]. The main
>> thing needed is keeping these build variables fixed, e.g.:
>>
>> KBUILD_BUILD_TIMESTAMP=1980-01-01
>> KBUILD_BUILD_USER=user
>> KBUILD_BUILD_HOST=host
>> KBUILD_BUILD_VERSION=1
>>
>> All this said, such things would catch a malicious build host, but
>> not malicious build dependencies. For example, the groundwork was
>> already being laid[3] by "Jai Tan" to inject a build-time attack:
>>
>> +eval "$($XZ --robot --version)" || exit
>
> Fortunately vigilance on commit review caught that one ...
>
>> Any tool installed on the distro that the kernel depends on could
>> manipulate the build environment. We could certainly enforce better
>> sanity checks (i.e. sh-lint all the shell scripts), but defending
>> against obfuscated backdoors has always been tricky.
>
> So on this point, I think we can't help much with build tools (except
> being careful in trying to avoid making them a large set of
> dependencies).
On that note, I notice that Fedora builds numerous non-kernel packages
as part of the kernel build, ie. in the same chroot.
I see: perf, libperf, python3-perf, bpftool, rtla, rv.
Which adds numerous dependencies:
audit-libs-devel
binutils-devel
bison
flex
gettext
java-devel
libbabeltrace-devel
libbpf-devel
libcap-devel
libcap-ng-devel
libtraceevent-devel
libtracefs-devel
ncurses-devel
newt-devel
perl(ExtUtils::Embed)
python3-docutils
python3-setuptools
xz-devel
zlib-devel
From a quick look Debian does something similar.
Arguably that's a distro bug, ie. they should be built separately, but
AIUI it stems from the fact that they are all kept in the kernel tree.
cheers
next prev parent reply other threads:[~2024-04-18 5:21 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-12 17:36 xz meltdown/Lasse Collin H. Peter Anvin
2024-04-13 13:16 ` James Bottomley
2024-04-13 13:47 ` H. Peter Anvin
2024-04-13 14:12 ` James Bottomley
2024-04-14 0:11 ` Theodore Ts'o
2024-04-14 13:42 ` James Bottomley
2024-04-14 10:21 ` Vegard Nossum
2024-04-14 14:45 ` James Bottomley
2024-04-15 18:00 ` Kees Cook
2024-04-16 14:05 ` James Bottomley
2024-04-18 5:20 ` Michael Ellerman [this message]
2024-04-16 6:24 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bk67b615.fsf@mail.lhotse \
--to=mpe@ellerman.id.au \
--cc=James.Bottomley@HansenPartnership.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=tech-board-discuss@lists.linuxfoundation.org \
--cc=tytso@mit.edu \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.