From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E596D3D3308; Tue, 5 May 2026 09:05:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971936; cv=none; b=QerRRHvlAOyxlpi+A04ESj2K9SjHea3jOnf4H0lN2uWfK2ZAUtXFxWiSEArKNdnqOVeQcc+iMPKjcLkx2/9wiFr0Xv4ic7VQj7MespKSHKXalVis0UlEcfFhnSFy4xwfYNmlyDoqXF3TuDExxiYNxecK8tucPaKwIvQAUfopyKI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971936; c=relaxed/simple; bh=3+TfV+G2pdtyPon4UoiayN0MzOd9dLRawRkDkEmqgQk=; h=From:Subject:Date:Message-Id:MIME-Version:Content-Type:To:Cc; b=BPCKfLAz+esc+DZhlojQI78MlT6Sv28hNfnxBrCS01R8GRtjLx9qEsFULPIQJt5mQjYMVVtXVT30rrdl6JbjS7hFtjdp+X6wLpePDU5Q6RXR0noFjAi09/BGcn7hog8RbC2aS1LxE07BLVLfZh1I+eSVqMWHVg3UdzVpUvoX80Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=LMrZa8UP; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="LMrZa8UP" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971922; bh=3+TfV+G2pdtyPon4UoiayN0MzOd9dLRawRkDkEmqgQk=; h=From:Subject:Date:To:Cc:From; b=LMrZa8UPBgDJoGIsTna8H4ZvARP53soQigqMBW1IArgIR1gf6B9u0afV70UvF1Uin jY7hg4rJog4rDzYGOXybUL/fOAPQdxnme7eKMB1xSTM2jyWQ7Rglh8OxRK5megVbEz wRQOU4R0TgMW8eukf1MmwueT3G6MQvi+aspNjLe8= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Subject: [PATCH v5 00/14] module: Introduce hash-based integrity checking Date: Tue, 05 May 2026 11:05:04 +0200 Message-Id: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> Precedence: bulk X-Mailing-List: linux-arch@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-B4-Tracking: v=1; b=H4sIAAAAAAAC/3XMy2rDMBCF4VcJWldlZiRFUVZ5j9KFLuNIkNrBS tyW4HevHAgFN13+B853E5XHwlXsNzcx8lRqGfoW5mUjYvb9kWVJrQUBaSQy8mNI1xPL7GvmKq0 34G2M5BWI9jmP3JWvu/f23jqXehnG7zs/4bL+J00oQSaLENl61SU8fHKptcZ8za89X8TCTfQgD CDBmqBGBI+400w22O4poX4JTW5NqEYAsCOzS9w5fkroB7EFRLUm9EIEpygFF8w2/CHmef4BycC Oj3gBAAA= X-Change-ID: 20241225-module-hashes-7a50a7cc2a30 To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=7338; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=3+TfV+G2pdtyPon4UoiayN0MzOd9dLRawRkDkEmqgQk=; b=B5jNaK8nrebPKZ5DQeOkk+hpzui5ffCiBEg6BGEicy81yoV1XDItYSp0mFpver92Pe1Oxtti+ zOglNe9yqCQDsVc1y3PKkLJ8f0E9od2X+pmDKCsBbWMM9LZJWIQtHXw X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The current signature-based module integrity checking has some drawbacks in combination with reproducible builds. Either the module signing key is generated at build time, which makes the build unreproducible, or a static signing key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated. The goal is to reach bit-for-bit reproducibility. Excluding certain parts of the build output from the reproducibility analysis would be error-prone and force each downstream consumer to introduce new tooling. Introduce a new mechanism to ensure only well-known modules are loaded by embedding a merkle tree root of all modules built as part of the full kernel build into vmlinux. Interest has been proclaimed by Arch Linux, Debian, Proxmox, SUSE, NixOS and the general reproducible builds community. Compatibility with IMA modsig is not provided yet. It is still unclear to me if it should be hooked up transparently without any changes to the policy or it should require new policy options. BPF/BTF folks, please take a look at patch 1. Further improvements: * Use MODULE_SIG_HASH for configuration * UAPI for discovery? To: Nathan Chancellor To: Nicolas Schier To: Arnd Bergmann To: Luis Chamberlain To: Petr Pavlu To: Sami Tolvanen To: Daniel Gomez To: Paul Moore To: James Morris To: Serge E. Hallyn To: Jonathan Corbet To: Madhavan Srinivasan To: Michael Ellerman To: Nicholas Piggin To: Christophe Leroy To: Naveen N Rao To: Mimi Zohar To: Roberto Sassu To: Dmitry Kasatkin To: Eric Snowberg To: Nicolas Schier To: Daniel Gomez To: Aaron Tomlin To: Christophe Leroy (CS GROUP) To: Nicolas Schier To: Nicolas Bouchinet To: Xiu Jianfeng Cc: Fabian Grünbichler Cc: Arnout Engelen Cc: Mattia Rizzolo Cc: kpcyrd Cc: Christian Heusel Cc: Câju Mihai-Drosi Cc: Eric Biggers Cc: Sebastian Andrzej Siewior Cc: linux-kbuild@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org Cc: linux-modules@vger.kernel.org Cc: linux-security-module@vger.kernel.org Cc: linux-doc@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: linux-integrity@vger.kernel.org Cc: debian-kernel@lists.debian.org Signed-off-by: Thomas Weißschuh --- Changes in v5: - Document tree layout. - Make scripts/module-merkle-tree more robust. - Remove all changes to link-vmlinux.sh, use vmlinux.unstripped instead. - Clean up types and logic in modules-merkle-tree.c. - Use "auth" over "integrity" naming scheme. - Reduce the changes to the existing authentication flow. - Explicitly send the series to BTF folks for review of BTF changes. - Link to v4: https://patch.msgid.link/20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net Changes in v4: - Use as Merkle tree over a linera list of hashes. - Provide compatibilith with INSTALL_MOD_STRIP - Rework commit messages. - Use vmlinux.unstripped over plain "vmlinux". - Link to v3: https://lore.kernel.org/r/20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net Changes in v3: - Rebase on v6.15-rc1 - Use openssl to calculate hash - Avoid warning if no modules are built - Simplify module_integrity_check() a bit - Make incompatibility with INSTALL_MOD_STRIP explicit - Update docs - Add IMA cleanups - Link to v2: https://lore.kernel.org/r/20250120-module-hashes-v2-0-ba1184e27b7f@weissschuh.net Changes in v2: - Drop RFC state - Mention interested parties in cover letter - Expand Kconfig description - Add compatibility with CONFIG_MODULE_SIG - Parallelize module-hashes.sh - Update Documentation/kbuild/reproducible-builds.rst - Link to v1: https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net --- Thomas Weißschuh (14): kbuild: generate module BTF based on vmlinux.unstripped lockdown: Make the relationship to MODULE_SIG a dependency kbuild: rename the strip_relocs command module: Drop pointless debugging message module: Make mod_verify_sig() static module: Switch load_info::len to size_t module: Make module authentication usable without MODULE_SIG module: Move authentication logic into dedicated new file module: Move signature type check out of mod_check_sig() module: Prepare for additional module authentication mechanisms module: update timestamp of modules.order after modules are built module: Introduce hash-based integrity checking kbuild: move handling of module stripping to Makefile.lib kbuild: make CONFIG_MODULE_HASHES compatible with module stripping .gitignore | 2 + Documentation/kbuild/reproducible-builds.rst | 5 +- Makefile | 7 +- crypto/algapi.c | 4 +- include/asm-generic/vmlinux.lds.h | 11 + include/linux/module.h | 18 +- include/linux/module_hashes.h | 29 ++ include/uapi/linux/module_signature.h | 1 + kernel/module/Kconfig | 29 +- kernel/module/Makefile | 2 + kernel/module/auth.c | 139 +++++++++ kernel/module/hashes.c | 95 ++++++ kernel/module/hashes_root.c | 6 + kernel/module/internal.h | 18 +- kernel/module/main.c | 16 +- kernel/module/signing.c | 113 +------- kernel/module_signature.c | 8 +- scripts/.gitignore | 1 + scripts/Makefile | 4 + scripts/Makefile.lib | 32 +++ scripts/Makefile.modfinal | 28 +- scripts/Makefile.modinst | 44 +-- scripts/Makefile.vmlinux | 40 ++- scripts/include/xalloc.h | 29 ++ scripts/link-vmlinux.sh | 3 +- scripts/modules-merkle-tree.c | 416 +++++++++++++++++++++++++++ security/integrity/ima/ima_modsig.c | 5 + security/lockdown/Kconfig | 2 +- tools/include/uapi/linux/module_signature.h | 1 + 29 files changed, 919 insertions(+), 189 deletions(-) --- base-commit: 585c2e775b12ef45bdf9cef5f679dcb1220e0d65 change-id: 20241225-module-hashes-7a50a7cc2a30 Best regards, -- Thomas Weißschuh