From: "Arnout Engelen" <arnout@bzzt.net>
To: "James Bottomley" <James.Bottomley@hansenpartnership.com>,
"Thomas Weißschuh" <linux@weissschuh.net>
Cc: "Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Petr Pavlu" <petr.pavlu@suse.com>,
"Sami Tolvanen" <samitolvanen@google.com>,
"Daniel Gomez" <da.gomez@samsung.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Madhavan Srinivasan" <maddy@linux.ibm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Nicholas Piggin" <npiggin@gmail.com>,
"Christophe Leroy" <christophe.leroy@csgroup.eu>,
"Naveen N Rao" <naveen@kernel.org>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Eric Snowberg" <eric.snowberg@oracle.com>,
"Nicolas Schier" <nicolas.schier@linux.dev>,
"Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
"Mattia Rizzolo" <mattia@mapreri.org>,
kpcyrd <kpcyrd@archlinux.org>,
"Christian Heusel" <christian@heusel.eu>,
"Câju Mihai-Drosi" <mcaju95@gmail.com>,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking
Date: Sat, 03 May 2025 10:19:17 +0200 [thread overview]
Message-ID: <072b392f-8122-4e4f-9a94-700dadcc0529@app.fastmail.com> (raw)
In-Reply-To: <b586e946c8514cecde65f98de8e19eb276c09703.camel@HansenPartnership.com>
On Fri, May 2, 2025, at 15:30, James Bottomley wrote:
> On Fri, 2025-05-02 at 08:53 +0200, Thomas Weißschuh wrote:
> > Specifically the output of any party can recreate bit-by-bit
> > identical copies of all specified artifacta previous build (the
> > public key, module signatures) is not available during the rebuild or
> > verification.
>
> You just strip the signatures before verifying reproducibility.
If the goal is: "verify the Linux Kernel is reproducible", that could work.
It gets increasingly cumbersome when you're trying to check the reproducibility
of some larger artifact that embeds the Linux kernel (and lots of other stuff),
like an ISO or disk image, though: you'd have to unpack/mount it, check all its
contents individually (perhaps recursively), and strip signatures in 'just the
right places'.
Writing such tooling is a chore, but of course feasible: diffoscope already
comes a long way (though checking large images may take some resources). The
problem is trusting such tooling: instead of 'simply' checking the images are
identical, suddenly I now have to convince myself there's no shenanigans
possible in the disk image interpretation and other check tooling, which gets
nontrivial fast.
> All current secure
> build processes (hermetic builds, SLSA and the like) are requiring
> output provenance (i.e. signed artifacts). If you try to stand like
> Canute against this tide saying "no signed builds", you're simply
> opposing progress for the sake of it
I don't think anyone is saying 'no signed builds', but we'd enjoy being able to
keep the signatures as detached metadata instead of having to embed them into
the 'actual' artifacts.
Kind regards,
Arnout
next prev parent reply other threads:[~2025-05-03 8:20 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-29 13:04 [PATCH v3 0/9] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 1/9] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Thomas Weißschuh
2025-05-14 17:37 ` Mimi Zohar
2025-04-29 13:04 ` [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Thomas Weißschuh
2025-05-14 15:09 ` Mimi Zohar
2025-05-14 17:37 ` Mimi Zohar
2025-05-14 18:25 ` Thomas Weißschuh
2025-05-14 21:36 ` Mimi Zohar
2025-04-29 13:04 ` [PATCH v3 3/9] kbuild: add stamp file for vmlinux BTF data Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 4/9] kbuild: generate module BTF based on vmlinux.unstripped Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 5/9] module: Make module loading policy usable without MODULE_SIG Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 6/9] module: Move integrity checks into dedicated function Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 7/9] module: Move lockdown check into generic module loader Thomas Weißschuh
2025-11-19 11:20 ` Sebastian Andrzej Siewior
2025-11-19 19:55 ` Paul Moore
2025-11-23 17:10 ` Sebastian Andrzej Siewior
2025-04-29 13:04 ` [PATCH v3 8/9] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2025-04-29 23:30 ` Paul Moore
2025-04-29 13:04 ` [PATCH v3 9/9] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-04-29 14:05 ` [PATCH v3 0/9] " James Bottomley
2025-05-02 6:53 ` Thomas Weißschuh
2025-05-02 13:30 ` James Bottomley
2025-05-02 23:43 ` kpcyrd
2025-05-06 13:21 ` James Bottomley
2025-05-03 8:19 ` Arnout Engelen [this message]
2025-05-06 13:24 ` James Bottomley
2025-05-07 7:47 ` Arnout Engelen
2025-05-07 16:41 ` James Bottomley
2025-05-08 7:57 ` Fabian Grünbichler
2025-11-19 15:48 ` Sebastian Andrzej Siewior
2025-11-23 17:05 ` Sebastian Andrzej Siewior
2025-11-24 9:41 ` Thomas Weißschuh
2025-05-16 18:09 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=072b392f-8122-4e4f-9a94-700dadcc0529@app.fastmail.com \
--to=arnout@bzzt.net \
--cc=James.Bottomley@hansenpartnership.com \
--cc=arnd@arndb.de \
--cc=christian@heusel.eu \
--cc=christophe.leroy@csgroup.eu \
--cc=corbet@lwn.net \
--cc=da.gomez@samsung.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=f.gruenbichler@proxmox.com \
--cc=jmorris@namei.org \
--cc=kpcyrd@archlinux.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=masahiroy@kernel.org \
--cc=mattia@mapreri.org \
--cc=mcaju95@gmail.com \
--cc=mcgrof@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nathan@kernel.org \
--cc=naveen@kernel.org \
--cc=nicolas.schier@linux.dev \
--cc=npiggin@gmail.com \
--cc=paul@paul-moore.com \
--cc=petr.pavlu@suse.com \
--cc=roberto.sassu@huawei.com \
--cc=samitolvanen@google.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox