From: "Câju Mihai-Drosi" <mcaju95@gmail.com>
To: "Thomas Weißschuh" <linux@weissschuh.net>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Nicolas Schier" <nicolas@fjasle.eu>,
"Arnd Bergmann" <arnd@arndb.de>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Petr Pavlu" <petr.pavlu@suse.com>,
"Sami Tolvanen" <samitolvanen@google.com>,
"Daniel Gomez" <da.gomez@samsung.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Jonathan Corbet" <corbet@lwn.net>
Cc: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
"Arnout Engelen" <arnout@bzzt.net>,
"Mattia Rizzolo" <mattia@mapreri.org>,
kpcyrd <kpcyrd@archlinux.org>,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org
Subject: Re: [PATCH v2 0/6] module: Introduce hash-based integrity checking
Date: Sat, 25 Jan 2025 23:16:27 +0200 [thread overview]
Message-ID: <91eadb0b-d898-43ca-9c10-48363e1c3e7a@gmail.com> (raw)
In-Reply-To: <20250120-module-hashes-v2-0-ba1184e27b7f@weissschuh.net>
On 1/20/25 19:44, Thomas Weißschuh wrote:
> The current signature-based module integrity checking has some drawbacks
> in combination with reproducible builds:
> Either the module signing key is generated at build time, which makes
> the build unreproducible, or a static key is used, which precludes
> rebuilds by third parties and makes the whole build and packaging
> process much more complicated.
> Introduce a new mechanism to ensure only well-known modules are loaded
> by embedding a list of hashes of all modules built as part of the full
> kernel build into vmlinux.
>
> Interest has been proclaimed by NixOS, Arch Linux, Proxmox, SUSE and the
> general reproducible builds community.
>
> To properly test the reproducibility in combination with CONFIG_INFO_BTF
> another patch is needed:
> "[PATCH bpf-next] kbuild, bpf: Enable reproducible BTF generation" [0]
> (If you happen to test that one, please give some feedback)
>
> Questions for current patch:
> * Naming
> * Can the number of built-in modules be retrieved while building
> kernel/module/hashes.o? This would remove the need for the
> preallocation step in link-vmlinux.sh.
>
> Further improvements:
> * Use a LSM/IMA/Keyring to store and validate hashes
> * Use MODULE_SIG_HASH for configuration
> * UAPI for discovery?
>
> [0] https://lore.kernel.org/lkml/20241211-pahole-reproducible-v1-1-22feae19bad9@weissschuh.net/
Hello,
Thank you for your work on helping to enable kernel lockdown coupled
with reproducible builds.
This may be out scope for this patch series, however I think it is worth
considering: How does one include hashes of modules that have not been
built as part of the kernel into the array? For example a DKMS module or
NVIDIA driver?
A solution that may be worth considering would be to include a list of
modules hashes into the kernel command-line. It may be even worth
considering keeping a dynamic array of hashes that can be locked at a
given point in time?
All the best,
Mihai
>
> Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
> ---
> Changes in v2:
> - Drop RFC state
> - Mention interested parties in cover letter
> - Expand Kconfig description
> - Add compatibility with CONFIG_MODULE_SIG
> - Parallelize module-hashes.sh
> - Update Documentation/kbuild/reproducible-builds.rst
> - Link to v1: https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net
>
> ---
> Thomas Weißschuh (6):
> kbuild: add stamp file for vmlinux BTF data
> module: Make module loading policy usable without MODULE_SIG
> module: Move integrity checks into dedicated function
> module: Move lockdown check into generic module loader
> lockdown: Make the relationship to MODULE_SIG a dependency
> module: Introduce hash-based integrity checking
>
> .gitignore | 1 +
> Documentation/kbuild/reproducible-builds.rst | 5 ++-
> Makefile | 8 ++++-
> include/asm-generic/vmlinux.lds.h | 11 ++++++
> include/linux/module.h | 8 ++---
> include/linux/module_hashes.h | 17 +++++++++
> kernel/module/Kconfig | 21 ++++++++++-
> kernel/module/Makefile | 1 +
> kernel/module/hashes.c | 52 +++++++++++++++++++++++++++
> kernel/module/internal.h | 8 +----
> kernel/module/main.c | 54 +++++++++++++++++++++++++---
> kernel/module/signing.c | 24 +------------
> scripts/Makefile.modfinal | 10 ++++--
> scripts/Makefile.vmlinux | 5 +++
> scripts/link-vmlinux.sh | 31 +++++++++++++++-
> scripts/module-hashes.sh | 26 ++++++++++++++
> security/lockdown/Kconfig | 2 +-
> 17 files changed, 238 insertions(+), 46 deletions(-)
> ---
> base-commit: 2cd5917560a84d69dd6128b640d7a68406ff019b
> change-id: 20241225-module-hashes-7a50a7cc2a30
>
> Best regards,
next prev parent reply other threads:[~2025-01-25 21:16 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-20 17:44 [PATCH v2 0/6] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 1/6] kbuild: add stamp file for vmlinux BTF data Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 2/6] module: Make module loading policy usable without MODULE_SIG Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 3/6] module: Move integrity checks into dedicated function Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 4/6] module: Move lockdown check into generic module loader Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 5/6] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2025-01-20 17:44 ` [PATCH v2 6/6] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-01-22 23:28 ` kpcyrd
2025-03-06 8:10 ` Thomas Weißschuh
2025-02-03 14:22 ` Petr Pavlu
2025-02-04 21:22 ` Thomas Weißschuh
2025-01-21 10:26 ` [PATCH v2 0/6] " Roberto Sassu
2025-01-21 12:58 ` Thomas Weißschuh
2025-01-21 13:11 ` Roberto Sassu
2025-01-25 21:16 ` Câju Mihai-Drosi [this message]
2025-02-03 13:14 ` Christian Heusel
2025-02-04 21:08 ` Thomas Weißschuh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=91eadb0b-d898-43ca-9c10-48363e1c3e7a@gmail.com \
--to=mcaju95@gmail.com \
--cc=arnd@arndb.de \
--cc=arnout@bzzt.net \
--cc=corbet@lwn.net \
--cc=da.gomez@samsung.com \
--cc=f.gruenbichler@proxmox.com \
--cc=jmorris@namei.org \
--cc=kpcyrd@archlinux.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=masahiroy@kernel.org \
--cc=mattia@mapreri.org \
--cc=mcgrof@kernel.org \
--cc=nathan@kernel.org \
--cc=nicolas@fjasle.eu \
--cc=paul@paul-moore.com \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox