From: Nicolas Schier <nsc@kernel.org>
To: "Thomas Weißschuh" <linux@weissschuh.net>
Cc: "Nathan Chancellor" <nathan@kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Petr Pavlu" <petr.pavlu@suse.com>,
"Sami Tolvanen" <samitolvanen@google.com>,
"Daniel Gomez" <da.gomez@samsung.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Madhavan Srinivasan" <maddy@linux.ibm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Nicholas Piggin" <npiggin@gmail.com>,
"Naveen N Rao" <naveen@kernel.org>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Eric Snowberg" <eric.snowberg@oracle.com>,
"Daniel Gomez" <da.gomez@kernel.org>,
"Aaron Tomlin" <atomlin@atomlin.com>,
"Christophe Leroy (CS GROUP)" <chleroy@kernel.org>,
"Nicolas Bouchinet" <nicolas.bouchinet@oss.cyber.gouv.fr>,
"Xiu Jianfeng" <xiujianfeng@huawei.com>,
"Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
"Arnout Engelen" <arnout@bzzt.net>,
"Mattia Rizzolo" <mattia@mapreri.org>,
kpcyrd <kpcyrd@archlinux.org>,
"Christian Heusel" <christian@heusel.eu>,
"Câju Mihai-Drosi" <mcaju95@gmail.com>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v4 15/17] module: Introduce hash-based integrity checking
Date: Tue, 24 Feb 2026 17:14:52 +0100 [thread overview]
Message-ID: <aZ3OfJJSJgfOb0rJ@levanger> (raw)
In-Reply-To: <06054e9a-2b7a-4063-98b8-7d6c539e543f@t-8ch.de>
On Mon, Feb 23, 2026 at 10:43:30PM +0100, Thomas Weißschuh wrote:
> On 2026-02-23 19:41:52+0100, Nicolas Schier wrote:
> > On Mon, Feb 23, 2026 at 08:53:29AM +0100, Thomas Weißschuh wrote:
> > > On 2026-02-21 22:38:29+0100, Nicolas Schier wrote:
> > > > On Tue, Jan 13, 2026 at 01:28:59PM +0100, Thomas Weißschuh wrote:
[...]
> > > > [...]
> > > > > diff --git a/scripts/modules-merkle-tree.c b/scripts/modules-merkle-tree.c
> > > > > new file mode 100644
> > > > > index 000000000000..a6ec0e21213b
> > > > > --- /dev/null
> > > > > +++ b/scripts/modules-merkle-tree.c
> > > > > @@ -0,0 +1,467 @@
> > > > > +// SPDX-License-Identifier: GPL-2.0-or-later
> > > > > +/*
> > > > > + * Compute hashes for modules files and build a merkle tree.
> > > > > + *
> > > > > + * Copyright (C) 2025 Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
> > > > > + * Copyright (C) 2025 Thomas Weißschuh <linux@weissschuh.net>
> > > > > + *
> > > > > + */
> > > > > +#define _GNU_SOURCE 1
> > > > > +#include <arpa/inet.h>
> > > > > +#include <err.h>
> > > > > +#include <unistd.h>
> > > > > +#include <fcntl.h>
> > > > > +#include <stdarg.h>
> > > > > +#include <stdio.h>
> > > > > +#include <string.h>
> > > > > +#include <stdbool.h>
> > > > > +#include <stdlib.h>
> > > > > +
> > > > > +#include <sys/stat.h>
> > > > > +#include <sys/mman.h>
> > > > > +
> > > > > +#include <openssl/evp.h>
> > > > > +#include <openssl/err.h>
> > > > > +
> > > > > +#include "ssl-common.h"
> > > > > +
> > > > > +static int hash_size;
> > > > > +static EVP_MD_CTX *ctx;
> > > > > +
> > > > > +struct module_signature {
> > > > > + uint8_t algo; /* Public-key crypto algorithm [0] */
> > > > > + uint8_t hash; /* Digest algorithm [0] */
> > > > > + uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */
> > > > > + uint8_t signer_len; /* Length of signer's name [0] */
> > > > > + uint8_t key_id_len; /* Length of key identifier [0] */
> > > > > + uint8_t __pad[3];
> > > > > + uint32_t sig_len; /* Length of signature data */
> > > > > +};
> > > > > +
> > > > > +#define PKEY_ID_MERKLE 3
> > > > > +
> > > > > +static const char magic_number[] = "~Module signature appended~\n";
> > > >
> > > > This here will be the forth definition of struct module_signature,
> > > > increasing the risk of unwanted diversion. I second Petr's suggestion
> > > > to reuse a _common_ definition instead.
> > >
> > > Ack.
> > >
> > > > (Here, even include/linux/module_signature.h could be included itself.)
> > >
> > > I'd like to avoid including internal headers from other components.
> > > We could move it to an UAPI header. Various other subsystems use those
> > > for not-really-UAPI but still ABI definitions.
> >
> > Yeah, ack.
>
> What exactly is the 'ack' for?
> * Avoiding to include internal headers?
> * Moving the definition to UAPI headers?
ah, sorry. I think reduction of duplicated definitions is good; moving
these definitions to UAPI headers sounds like a valid compromise to me.
> (...)
>
> > > > Can you verify if I get the mechanics roughly correct?
> > > >
> > > > * Modules are merkle tree leaves. Modules are built and logically
> > > > paired by the order from modules.order; a single left-over module is
> > > > paired with itself.
> > > >
> > > > * Hashes of paired modules are hashed again (branch node hash);
> > > > hashes of pairs of branch nodes' hashes are hashed again;
> > > > repeat until we reach the single merkle tree root hash
> > > >
> > > > * The final merkle tree root hash (and the count of tree levels) is
> > > > included in vmlinux
> > >
> > > The merkle tree code was written by Sebastian so he will have the best
> > > knowledge about it. But this is also my understanding.
> >
> > I'd like to see some (rough) description in Documentation or in a commit
> > message at least, otherwise future me will have to ask that again.
>
> Ack in general. I'd prefer to document it in a source code comment,
> though. That feels like the best fit to me.
Great, thanks.
--
Nicolas
next prev parent reply other threads:[~2026-02-24 16:17 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-13 12:28 [PATCH v4 00/17] module: Introduce hash-based integrity checking Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 01/17] module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 02/17] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Thomas Weißschuh
2026-01-30 20:43 ` Aaron Tomlin
2026-02-06 8:25 ` Nicolas Schier
2026-03-10 21:11 ` Eric Biggers
2026-01-13 12:28 ` [PATCH v4 03/17] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Thomas Weißschuh
2026-01-30 20:49 ` Aaron Tomlin
2026-02-06 8:25 ` Nicolas Schier
2026-03-10 21:11 ` Eric Biggers
2026-01-13 12:28 ` [PATCH v4 04/17] module: Make mod_verify_sig() static Thomas Weißschuh
2026-01-30 20:53 ` Aaron Tomlin
2026-02-06 8:25 ` Nicolas Schier
2026-03-10 21:12 ` Eric Biggers
2026-01-13 12:28 ` [PATCH v4 05/17] module: Switch load_info::len to size_t Thomas Weißschuh
2026-02-06 8:18 ` David Howells
2026-02-06 8:34 ` Thomas Weißschuh
2026-02-06 8:30 ` Nicolas Schier
2026-02-06 8:38 ` Thomas Weißschuh
2026-02-06 8:55 ` Nicolas Schier
2026-02-06 9:09 ` Christophe Leroy (CS GROUP)
2026-02-06 9:18 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 06/17] kbuild: add stamp file for vmlinux BTF data Thomas Weißschuh
2026-02-06 16:28 ` Nicolas Schier
2026-03-10 21:36 ` Eric Biggers
2026-03-11 12:58 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 07/17] kbuild: generate module BTF based on vmlinux.unstripped Thomas Weißschuh
2026-02-06 16:37 ` Nicolas Schier
2026-02-20 9:29 ` Fwd: " Thomas Weißschuh
2026-02-20 16:55 ` Ihor Solodrai
2026-02-23 7:40 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 08/17] module: Deduplicate signature extraction Thomas Weißschuh
2026-01-27 15:20 ` Petr Pavlu
2026-02-03 12:41 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 09/17] module: Make module loading policy usable without MODULE_SIG Thomas Weißschuh
2026-03-10 22:01 ` Eric Biggers
2026-03-11 12:59 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 10/17] module: Move integrity checks into dedicated function Thomas Weißschuh
2026-02-13 15:09 ` Nicolas Schier
2026-03-10 22:06 ` Eric Biggers
2026-01-13 12:28 ` [PATCH v4 11/17] module: Move lockdown check into generic module loader Thomas Weißschuh
2026-02-13 15:14 ` Nicolas Schier
2026-01-13 12:28 ` [PATCH v4 12/17] module: Move signature splitting up Thomas Weißschuh
2026-01-29 14:41 ` Petr Pavlu
2026-02-03 12:42 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 13/17] module: Report signature type to users Thomas Weißschuh
2026-01-29 14:44 ` Petr Pavlu
2026-02-03 12:44 ` Thomas Weißschuh
2026-01-13 12:28 ` [PATCH v4 14/17] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2026-02-13 15:32 ` Nicolas Schier
2026-01-13 12:28 ` [PATCH v4 15/17] module: Introduce hash-based integrity checking Thomas Weißschuh
2026-01-13 14:56 ` Sebastian Andrzej Siewior
2026-01-30 17:06 ` Petr Pavlu
2026-02-03 12:55 ` Thomas Weißschuh
2026-02-06 17:12 ` Nicolas Schier
2026-02-19 14:27 ` Nicolas Schier
2026-02-03 12:19 ` Petr Pavlu
2026-02-03 12:59 ` Thomas Weißschuh
2026-03-11 1:18 ` Eric Biggers
2026-02-21 21:38 ` Nicolas Schier
2026-02-23 7:53 ` Thomas Weißschuh
2026-02-23 18:41 ` Nicolas Schier
2026-02-23 21:43 ` Thomas Weißschuh
2026-02-24 16:14 ` Nicolas Schier [this message]
2026-03-11 1:12 ` Eric Biggers
2026-03-11 8:50 ` Sebastian Andrzej Siewior
2026-03-11 13:19 ` Thomas Weißschuh
2026-03-11 21:14 ` Eric Biggers
2026-01-13 12:29 ` [PATCH v4 16/17] kbuild: move handling of module stripping to Makefile.lib Thomas Weißschuh
2026-01-13 12:29 ` [PATCH v4 17/17] kbuild: make CONFIG_MODULE_HASHES compatible with module stripping Thomas Weißschuh
2026-01-31 7:36 ` [PATCH v4 00/17] module: Introduce hash-based integrity checking Mihai-Drosi Câju
2026-02-01 16:22 ` Thomas Weißschuh
2026-02-01 17:09 ` David Howells
2026-02-01 20:12 ` Eric Biggers
2026-02-02 9:21 ` David Howells
2026-02-02 18:30 ` Eric Biggers
2026-02-02 18:38 ` David Howells
2026-02-02 18:47 ` Eric Biggers
2026-02-03 8:18 ` James Bottomley
2026-02-03 8:22 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZ3OfJJSJgfOb0rJ@levanger \
--to=nsc@kernel.org \
--cc=arnd@arndb.de \
--cc=arnout@bzzt.net \
--cc=atomlin@atomlin.com \
--cc=bigeasy@linutronix.de \
--cc=chleroy@kernel.org \
--cc=christian@heusel.eu \
--cc=corbet@lwn.net \
--cc=da.gomez@kernel.org \
--cc=da.gomez@samsung.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=f.gruenbichler@proxmox.com \
--cc=jmorris@namei.org \
--cc=kpcyrd@archlinux.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mattia@mapreri.org \
--cc=mcaju95@gmail.com \
--cc=mcgrof@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nathan@kernel.org \
--cc=naveen@kernel.org \
--cc=nicolas.bouchinet@oss.cyber.gouv.fr \
--cc=npiggin@gmail.com \
--cc=paul@paul-moore.com \
--cc=petr.pavlu@suse.com \
--cc=roberto.sassu@huawei.com \
--cc=samitolvanen@google.com \
--cc=serge@hallyn.com \
--cc=xiujianfeng@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.