From: Mimi Zohar <zohar@linux.ibm.com>
To: "Thomas Weißschuh" <linux@weissschuh.net>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Petr Pavlu" <petr.pavlu@suse.com>,
"Sami Tolvanen" <samitolvanen@google.com>,
"Daniel Gomez" <da.gomez@samsung.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Madhavan Srinivasan" <maddy@linux.ibm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Nicholas Piggin" <npiggin@gmail.com>,
"Christophe Leroy" <christophe.leroy@csgroup.eu>,
"Naveen N Rao" <naveen@kernel.org>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Eric Snowberg" <eric.snowberg@oracle.com>,
"Nicolas Schier" <nicolas.schier@linux.dev>
Cc: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
"Arnout Engelen" <arnout@bzzt.net>,
"Mattia Rizzolo" <mattia@mapreri.org>,
kpcyrd <kpcyrd@archlinux.org>,
"Christian Heusel" <christian@heusel.eu>,
"Câju Mihai-Drosi" <mcaju95@gmail.com>,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking
Date: Fri, 16 May 2025 14:09:28 -0400 [thread overview]
Message-ID: <ddaa84b8baf0e1ed8a3037abb0449f96a99450ec.camel@linux.ibm.com> (raw)
In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net>
Hi Thomas,
On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> The current signature-based module integrity checking has some drawbacks
> in combination with reproducible builds:
> Either the module signing key is generated at build time, which makes
> the build unreproducible, or a static key is used, which precludes
> rebuilds by third parties and makes the whole build and packaging
> process much more complicated.
> Introduce a new mechanism to ensure only well-known modules are loaded
> by embedding a list of hashes of all modules built as part of the full
> kernel build into vmlinux.
From a very high level, I like the idea of including the kernel module hashes
in the kernel image, which is signed, and falling back to verifying other
kernel modules based on signatures.
Removing the CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG checks in the first two
patches is correct, as previously mentioned. However without these Kconfigs
being enabled, the IMA arch specific policy defines and enforces signature
verification based on the signatures stored in security.ima. I doubt this is
what was intended.
Changes would be needed in ima_appraise_measurement(). It's not enough to
test whether the policy permits appended signatures (modsig), but to detect
whether CONFIG_MODULE_SIG is enabled. In addition, similar support to
try_modsig, needs to be added for CONFIG_MODULE_HASHES.
thanks,
Mimi
>
> Interest has been proclaimed by NixOS, Arch Linux, Proxmox, SUSE and the
> general reproducible builds community.
>
> To properly test the reproducibility in combination with CONFIG_INFO_BTF
> another patch or pahole v1.29 is needed:
> "[PATCH bpf-next] kbuild, bpf: Enable reproducible BTF generation" [0]
>
> Questions for current patch:
> * Naming
> * Can the number of built-in modules be retrieved while building
> kernel/module/hashes.o? This would remove the need for the
> preallocation step in link-vmlinux.sh.
> * How should this interaction with IMA?
>
> Further improvements:
> * Use a LSM/IMA Keyring to store and validate hashes
> * Use MODULE_SIG_HASH for configuration
> * UAPI for discovery?
> * Currently has a permanent memory overhead
>
> [0]
> https://lore.kernel.org/lkml/20241211-pahole-reproducible-v1-1-22feae19bad9@weissschuh.net/
>
> Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
> ---
> Changes in v3:
> - Rebase on v6.15-rc1
> - Use openssl to calculate hash
> - Avoid warning if no modules are built
> - Simplify module_integrity_check() a bit
> - Make incompatibility with INSTALL_MOD_STRIP explicit
> - Update docs
> - Add IMA cleanups
> - Link to v2:
> https://lore.kernel.org/r/20250120-module-hashes-v2-0-ba1184e27b7f@weissschuh.net
>
> Changes in v2:
> - Drop RFC state
> - Mention interested parties in cover letter
> - Expand Kconfig description
> - Add compatibility with CONFIG_MODULE_SIG
> - Parallelize module-hashes.sh
> - Update Documentation/kbuild/reproducible-builds.rst
> - Link to v1:
> https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net
>
> ---
> Thomas Weißschuh (9):
> powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG
> ima: efi: Drop unnecessary check for
> CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
> kbuild: add stamp file for vmlinux BTF data
> kbuild: generate module BTF based on vmlinux.unstripped
> module: Make module loading policy usable without MODULE_SIG
> module: Move integrity checks into dedicated function
> module: Move lockdown check into generic module loader
> lockdown: Make the relationship to MODULE_SIG a dependency
> module: Introduce hash-based integrity checking
>
> .gitignore | 1 +
> Documentation/kbuild/reproducible-builds.rst | 5 ++-
> Makefile | 8 +++-
> arch/powerpc/kernel/ima_arch.c | 3 +-
> include/asm-generic/vmlinux.lds.h | 11 ++++++
> include/linux/module.h | 8 ++--
> include/linux/module_hashes.h | 17 +++++++++
> kernel/module/Kconfig | 21 ++++++++++-
> kernel/module/Makefile | 1 +
> kernel/module/hashes.c | 56
> ++++++++++++++++++++++++++++
> kernel/module/internal.h | 8 +---
> kernel/module/main.c | 51 ++++++++++++++++++++++---
> kernel/module/signing.c | 24 +-----------
> scripts/Makefile.modfinal | 18 ++++++---
> scripts/Makefile.modinst | 4 ++
> scripts/Makefile.vmlinux | 5 +++
> scripts/link-vmlinux.sh | 31 ++++++++++++++-
> scripts/module-hashes.sh | 26 +++++++++++++
> security/integrity/ima/ima_efi.c | 6 +--
> security/lockdown/Kconfig | 2 +-
> 20 files changed, 250 insertions(+), 56 deletions(-)
> ---
> base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8
> change-id: 20241225-module-hashes-7a50a7cc2a30
>
> Best regards,
prev parent reply other threads:[~2025-05-16 18:11 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-29 13:04 [PATCH v3 0/9] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 1/9] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Thomas Weißschuh
2025-05-14 17:37 ` Mimi Zohar
2025-04-29 13:04 ` [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Thomas Weißschuh
2025-05-14 15:09 ` Mimi Zohar
2025-05-14 17:37 ` Mimi Zohar
2025-05-14 18:25 ` Thomas Weißschuh
2025-05-14 21:36 ` Mimi Zohar
2025-04-29 13:04 ` [PATCH v3 3/9] kbuild: add stamp file for vmlinux BTF data Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 4/9] kbuild: generate module BTF based on vmlinux.unstripped Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 5/9] module: Make module loading policy usable without MODULE_SIG Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 6/9] module: Move integrity checks into dedicated function Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 7/9] module: Move lockdown check into generic module loader Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 8/9] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2025-04-29 23:30 ` Paul Moore
2025-04-29 13:04 ` [PATCH v3 9/9] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-04-29 14:05 ` [PATCH v3 0/9] " James Bottomley
2025-05-02 6:53 ` Thomas Weißschuh
2025-05-02 13:30 ` James Bottomley
2025-05-02 23:43 ` kpcyrd
2025-05-06 13:21 ` James Bottomley
2025-05-03 8:19 ` Arnout Engelen
2025-05-06 13:24 ` James Bottomley
2025-05-07 7:47 ` Arnout Engelen
2025-05-07 16:41 ` James Bottomley
2025-05-08 7:57 ` Fabian Grünbichler
2025-05-16 18:09 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ddaa84b8baf0e1ed8a3037abb0449f96a99450ec.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=arnd@arndb.de \
--cc=arnout@bzzt.net \
--cc=christian@heusel.eu \
--cc=christophe.leroy@csgroup.eu \
--cc=corbet@lwn.net \
--cc=da.gomez@samsung.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=f.gruenbichler@proxmox.com \
--cc=jmorris@namei.org \
--cc=kpcyrd@archlinux.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=masahiroy@kernel.org \
--cc=mattia@mapreri.org \
--cc=mcaju95@gmail.com \
--cc=mcgrof@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nathan@kernel.org \
--cc=naveen@kernel.org \
--cc=nicolas.schier@linux.dev \
--cc=npiggin@gmail.com \
--cc=paul@paul-moore.com \
--cc=petr.pavlu@suse.com \
--cc=roberto.sassu@huawei.com \
--cc=samitolvanen@google.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).