From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
To: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: "Thomas Weißschuh" <linux@weissschuh.net>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Petr Pavlu" <petr.pavlu@suse.com>,
"Sami Tolvanen" <samitolvanen@google.com>,
"Daniel Gomez" <da.gomez@samsung.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Madhavan Srinivasan" <maddy@linux.ibm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Nicholas Piggin" <npiggin@gmail.com>,
"Christophe Leroy" <christophe.leroy@csgroup.eu>,
"Naveen N Rao" <naveen@kernel.org>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Eric Snowberg" <eric.snowberg@oracle.com>,
"Nicolas Schier" <nicolas.schier@linux.dev>,
"Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
"Arnout Engelen" <arnout@bzzt.net>,
"Mattia Rizzolo" <mattia@mapreri.org>,
kpcyrd <kpcyrd@archlinux.org>,
"Christian Heusel" <christian@heusel.eu>,
"Câju Mihai-Drosi" <mcaju95@gmail.com>,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking
Date: Wed, 19 Nov 2025 16:48:34 +0100 [thread overview]
Message-ID: <20251119154834.A-tQsLzh@linutronix.de> (raw)
In-Reply-To: <f1dca9daa01d0d2432c12ecabede3fa1389b1d29.camel@HansenPartnership.com>
On 2025-04-29 10:05:04 [-0400], James Bottomley wrote:
> On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> > The current signature-based module integrity checking has some
> > drawbacks in combination with reproducible builds:
> > Either the module signing key is generated at build time, which makes
> > the build unreproducible,
>
> I don't believe it does: as long as you know what the key was, which
> you can get from the kernel keyring, you can exactly reproduce the core
> build (it's a public key after all and really equivalent to built in
> configuration). Is the fact that you have to boot the kernel to get
> the key the problem? In which case we could insist it be shipped in
> the kernel packaging.
The kernel itself is signed. This is not a problem because distros have
the "unsigned" package which is used for comparison.
The modules are signed by an ephemeral key which is created at build
time. This is where the problem starts:
- the public key is embedded into the kernel. Extracting it with tooling
is possible (or it is part of the kernel package). Adding this key
into the build process while rebuilding the kernel should work.
This will however alter the build process and is not *the* original
one, which was used to build the image.
- the private key remains unknown which means the modules can not be
signed. The rebuilding would need to get past this limitation and the
logic must not be affected by this "change". Then the modules need to
be stripped of their signature for the comparison.
Doing all this requires additional handling/ tooling on the "validation"
infrastructure. This infrastructure works currently without special
care.
Adding special care will not build the package exactly like it has been
built originally _and_ the results need to be interpreted (as in we
remove this signature and do this and now it is fine).
Adding hashes of each module into the kernel image looks like a
reasonable thing to do. I don't see any downsides to this. Yes, you are
limited to the modules available at build time but this is also the case
today with the ephemeral key. It is meant for distros not for individual
developers testing their code.
With this change it is possible to build a kernel and its modules and
put the result in an archive such as tar/ deb/ rpm. You can build the
package _again_ following exactly the same steps as you did before and
the result will be the identical archive.
Bit by bit.
No need for interpreting the results, stripping signatures or altering
the build process.
I fully agree with this approach. I don't like the big hash array but I
have an idea how to optimize that part. So I don't see a problem in the
long term.
> Regards,
>
> James
Sebastian
next prev parent reply other threads:[~2025-11-19 15:48 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-29 13:04 [PATCH v3 0/9] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 1/9] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Thomas Weißschuh
2025-05-14 17:37 ` Mimi Zohar
2025-04-29 13:04 ` [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Thomas Weißschuh
2025-05-14 15:09 ` Mimi Zohar
2025-05-14 17:37 ` Mimi Zohar
2025-05-14 18:25 ` Thomas Weißschuh
2025-05-14 21:36 ` Mimi Zohar
2025-04-29 13:04 ` [PATCH v3 3/9] kbuild: add stamp file for vmlinux BTF data Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 4/9] kbuild: generate module BTF based on vmlinux.unstripped Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 5/9] module: Make module loading policy usable without MODULE_SIG Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 6/9] module: Move integrity checks into dedicated function Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 7/9] module: Move lockdown check into generic module loader Thomas Weißschuh
2025-11-19 11:20 ` Sebastian Andrzej Siewior
2025-11-19 19:55 ` Paul Moore
2025-11-23 17:10 ` Sebastian Andrzej Siewior
2025-04-29 13:04 ` [PATCH v3 8/9] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2025-04-29 23:30 ` Paul Moore
2025-04-29 13:04 ` [PATCH v3 9/9] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-04-29 14:05 ` [PATCH v3 0/9] " James Bottomley
2025-05-02 6:53 ` Thomas Weißschuh
2025-05-02 13:30 ` James Bottomley
2025-05-02 23:43 ` kpcyrd
2025-05-06 13:21 ` James Bottomley
2025-05-03 8:19 ` Arnout Engelen
2025-05-06 13:24 ` James Bottomley
2025-05-07 7:47 ` Arnout Engelen
2025-05-07 16:41 ` James Bottomley
2025-05-08 7:57 ` Fabian Grünbichler
2025-11-19 15:48 ` Sebastian Andrzej Siewior [this message]
2025-11-23 17:05 ` Sebastian Andrzej Siewior
2025-11-24 9:41 ` Thomas Weißschuh
2025-05-16 18:09 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251119154834.A-tQsLzh@linutronix.de \
--to=bigeasy@linutronix.de \
--cc=James.Bottomley@hansenpartnership.com \
--cc=arnd@arndb.de \
--cc=arnout@bzzt.net \
--cc=christian@heusel.eu \
--cc=christophe.leroy@csgroup.eu \
--cc=corbet@lwn.net \
--cc=da.gomez@samsung.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=f.gruenbichler@proxmox.com \
--cc=jmorris@namei.org \
--cc=kpcyrd@archlinux.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=masahiroy@kernel.org \
--cc=mattia@mapreri.org \
--cc=mcaju95@gmail.com \
--cc=mcgrof@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nathan@kernel.org \
--cc=naveen@kernel.org \
--cc=nicolas.schier@linux.dev \
--cc=npiggin@gmail.com \
--cc=paul@paul-moore.com \
--cc=petr.pavlu@suse.com \
--cc=roberto.sassu@huawei.com \
--cc=samitolvanen@google.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).