linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: "Thomas Weißschuh" <linux@weissschuh.net>,
	"Masahiro Yamada" <masahiroy@kernel.org>,
	"Nathan Chancellor" <nathan@kernel.org>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Luis Chamberlain" <mcgrof@kernel.org>,
	"Petr Pavlu" <petr.pavlu@suse.com>,
	"Sami Tolvanen" <samitolvanen@google.com>,
	"Daniel Gomez" <da.gomez@samsung.com>,
	"Paul Moore" <paul@paul-moore.com>,
	"James Morris" <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Madhavan Srinivasan" <maddy@linux.ibm.com>,
	"Michael Ellerman" <mpe@ellerman.id.au>,
	"Nicholas Piggin" <npiggin@gmail.com>,
	"Christophe Leroy" <christophe.leroy@csgroup.eu>,
	"Naveen N Rao" <naveen@kernel.org>,
	"Mimi Zohar" <zohar@linux.ibm.com>,
	"Roberto Sassu" <roberto.sassu@huawei.com>,
	"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
	"Eric Snowberg" <eric.snowberg@oracle.com>,
	"Nicolas Schier" <nicolas.schier@linux.dev>
Cc: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
	"Arnout Engelen" <arnout@bzzt.net>,
	"Mattia Rizzolo" <mattia@mapreri.org>,
	kpcyrd <kpcyrd@archlinux.org>,
	"Christian Heusel" <christian@heusel.eu>,
	"Câju Mihai-Drosi" <mcaju95@gmail.com>,
	linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,
	linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
	linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking
Date: Tue, 29 Apr 2025 10:05:04 -0400	[thread overview]
Message-ID: <f1dca9daa01d0d2432c12ecabede3fa1389b1d29.camel@HansenPartnership.com> (raw)
In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net>

On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> The current signature-based module integrity checking has some
> drawbacks in combination with reproducible builds:
> Either the module signing key is generated at build time, which makes
> the build unreproducible,

I don't believe it does: as long as you know what the key was, which
you can get from the kernel keyring, you can exactly reproduce the core
build (it's a public key after all and really equivalent to built in
configuration).  Is the fact that you have to boot the kernel to get
the key the problem?  In which case we could insist it be shipped in
the kernel packaging.

>  or a static key is used, which precludes rebuilds by third parties
> and makes the whole build and packaging process much more
> complicated. 

No, it's the same as above ... as long as you have the public key you
can reproduce the core build with the same end to end hash.

However, is there also a corresponding question of how we verify
reproduceability of kernel builds (and the associated modules ... I
assume for the modules you do strip the appended signature)?  I assume
you're going by the secure boot hash (authenticode hash of the efi stub
and the compressed payload which includes the key).  However, if we had
the vmlinux.o we could do a much more nuanced hash to verify the build,
say by placing the keyring data in a section that isn't hashed.

Regards,

James


  parent reply	other threads:[~2025-04-29 14:05 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-29 13:04 [PATCH v3 0/9] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 1/9] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Thomas Weißschuh
2025-05-14 17:37   ` Mimi Zohar
2025-04-29 13:04 ` [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Thomas Weißschuh
2025-05-14 15:09   ` Mimi Zohar
2025-05-14 17:37     ` Mimi Zohar
2025-05-14 18:25       ` Thomas Weißschuh
2025-05-14 21:36         ` Mimi Zohar
2025-04-29 13:04 ` [PATCH v3 3/9] kbuild: add stamp file for vmlinux BTF data Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 4/9] kbuild: generate module BTF based on vmlinux.unstripped Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 5/9] module: Make module loading policy usable without MODULE_SIG Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 6/9] module: Move integrity checks into dedicated function Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 7/9] module: Move lockdown check into generic module loader Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 8/9] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2025-04-29 23:30   ` Paul Moore
2025-04-29 13:04 ` [PATCH v3 9/9] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-04-29 14:05 ` James Bottomley [this message]
2025-05-02  6:53   ` [PATCH v3 0/9] " Thomas Weißschuh
2025-05-02 13:30     ` James Bottomley
2025-05-02 23:43       ` kpcyrd
2025-05-06 13:21         ` James Bottomley
2025-05-03  8:19       ` Arnout Engelen
2025-05-06 13:24         ` James Bottomley
2025-05-07  7:47           ` Arnout Engelen
2025-05-07 16:41             ` James Bottomley
2025-05-08  7:57               ` Fabian Grünbichler
2025-05-16 18:09 ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f1dca9daa01d0d2432c12ecabede3fa1389b1d29.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=arnd@arndb.de \
    --cc=arnout@bzzt.net \
    --cc=christian@heusel.eu \
    --cc=christophe.leroy@csgroup.eu \
    --cc=corbet@lwn.net \
    --cc=da.gomez@samsung.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=eric.snowberg@oracle.com \
    --cc=f.gruenbichler@proxmox.com \
    --cc=jmorris@namei.org \
    --cc=kpcyrd@archlinux.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-modules@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=linux@weissschuh.net \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=maddy@linux.ibm.com \
    --cc=masahiroy@kernel.org \
    --cc=mattia@mapreri.org \
    --cc=mcaju95@gmail.com \
    --cc=mcgrof@kernel.org \
    --cc=mpe@ellerman.id.au \
    --cc=nathan@kernel.org \
    --cc=naveen@kernel.org \
    --cc=nicolas.schier@linux.dev \
    --cc=npiggin@gmail.com \
    --cc=paul@paul-moore.com \
    --cc=petr.pavlu@suse.com \
    --cc=roberto.sassu@huawei.com \
    --cc=samitolvanen@google.com \
    --cc=serge@hallyn.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).