From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9BD91B94D for ; Thu, 18 Apr 2024 05:21:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=140.211.166.136 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713417668; cv=none; b=ew79YTpkt5hIGhrzM35Q2Cj3bxUWUmqn3T33CfsGFwMFIrlsu4HgMWIBedKM2L9oXLsBxZ1WEOtYFjVUTIJ9U+srzkzH69AGvN2912sUaZ4I7i/PRDEIcVf64tNX+9oxfASvsNotUpeSEl4eoq/oFmbbP7ccKQqYrJ7cV+7jaXg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713417668; c=relaxed/simple; bh=XMBZNfyN7L7zuwylHR/oI2keIjiH2y/6whZSAht9dAg=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=byJe1xO0oGdMBnxoIraAZkHsMW6m0cchZsmZww0niVkYxq6GRKTidAMTF3mz3MnOAn8kEmiIzi2Eg7B7KZ31m8PMU0RkIp83OOi6cKLtgulM6Mrd7DNVqjgqdcmg3ENOVpQqYIKiouDjdXfaQU1kGDU1hXt2p69uWf2X2QnXrQY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ellerman.id.au header.i=@ellerman.id.au header.b=XSGZcTEm; arc=none smtp.client-ip=140.211.166.136 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ellerman.id.au header.i=@ellerman.id.au header.b="XSGZcTEm" Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 48FB26068F for ; Thu, 18 Apr 2024 05:21:06 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org X-Spam-Flag: NO X-Spam-Score: -4.402 X-Spam-Level: Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id DTcc6TkRerig for ; Thu, 18 Apr 2024 05:21:05 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2404:9400:2221:ea00::3; helo=gandalf.ozlabs.org; envelope-from=mpe@ellerman.id.au; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 82BB26068C Authentication-Results: smtp3.osuosl.org; dmarc=none (p=none dis=none) header.from=ellerman.id.au DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 82BB26068C Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=ellerman.id.au header.i=@ellerman.id.au header.a=rsa-sha256 header.s=201909 header.b=XSGZcTEm Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by smtp3.osuosl.org (Postfix) with ESMTPS id 82BB26068C for ; Thu, 18 Apr 2024 05:21:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ellerman.id.au; s=201909; t=1713417655; bh=7VtYgp3Vt2Jyl0NAgFNHo7ixbUZ09iFAoxLY8pVTg/s=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=XSGZcTEmvJQi47DX+JjG8jg9sJCqdvqswxGeD2LiV+mdYqEwbOPjf6TMcc6Igt+Du GWOHabGVh1M7WBOEvJeNxxxxIUwobGjkx3d7VY1up/MmtCExKJBpq3SuPmFEDXjOhx KZmkXmz+MAbIxxEibr/M72u/8rMB7TnzPp6+xj1bFE7K+fa/ng3rpYvNFfJn5hVlA5 6Zkas32nbgP6FsOUJGWxnl5H++WjHid/glN4OCMfPUpeT9BWC6Nnim86GAIm+oDio8 UxMTShvbh05/ApNHNqsaf93HYbuv3lSO7oHTpM4UxwGxBrsPqji384ODQ3a7kAKiTa NdSJok36S9mXQ== Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 4VKmMV59g5z4wjF; Thu, 18 Apr 2024 15:20:54 +1000 (AEST) From: Michael Ellerman To: James Bottomley , Kees Cook Cc: Vegard Nossum , "H. Peter Anvin" , "tech-board-discuss@lists.linuxfoundation.org" , Theodore Ts'o Subject: Re: xz meltdown/Lasse Collin In-Reply-To: <36ddf01707ddf51d4587ff80871dd4d4ac9d6c38.camel@HansenPartnership.com> References: <8205E91D-F15B-402D-9398-33E4FF4E4E62@zytor.com> <030a96cf36719d8a7ec702b9303616f89daed4bb.camel@HansenPartnership.com> <872f9cfd-5c19-4a82-bf75-6256265e8f8a@oracle.com> <202404151051.90B786EE85@keescook> <36ddf01707ddf51d4587ff80871dd4d4ac9d6c38.camel@HansenPartnership.com> Date: Thu, 18 Apr 2024 15:20:54 +1000 Message-ID: <87bk67b615.fsf@mail.lhotse> Precedence: bulk X-Mailing-List: tech-board-discuss@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable James Bottomley writes: > On Mon, 2024-04-15 at 11:00 -0700, Kees Cook wrote: >> On Sun, Apr 14, 2024 at 10:45:30AM -0400, James Bottomley wrote: >> > On Sun, 2024-04-14 at 12:21 +0200, Vegard Nossum wrote: >> > > On 13/04/2024 15:16, James Bottomley wrote: >> > > > =C2=A0=C2=A0=C2=A0 2. We need better build artifact transparency g= enerally but >> > > > =C2=A0I think the kernel is fine here: we still use make so don't >> > > > have the huge build artifact issue that allowed the exploit in >> > > > and we have a documented signing process for our build >> > > > artifacts (kernel tarballs). >> > > > =C2=A0=C2=A0=C2=A0 3. The indirect library dependency problem does= n't apply to >> > > > us. >> > >=20 >> > > While this is technically true, there are many other ways to >> > > compromise the kernel build process: >> >=20 >> > #define injection and environmental injection have to be done on >> > the build system (I mean so did the xz payload injection but it >> > found a carrier in the autoconf files).=C2=A0 We're getting better at >> > hermetic builds and other things that make direct build system >> > tampering more difficult to pull off.=C2=A0 Hopefully, one day soon, >> > we'll get to reproduceable builds that someone outside the distro >> > will be able to check every distro binary ... and that would pick >> > up almost any type of build system injection attack. >>=20 >> The kernel has worked fine for years with regard to reproducible >> builds[1]. I regularly inter-build binary comparisons[2]. The main >> thing needed is keeping these build variables fixed, e.g.: >>=20 >> KBUILD_BUILD_TIMESTAMP=3D1980-01-01 >> KBUILD_BUILD_USER=3Duser >> KBUILD_BUILD_HOST=3Dhost >> KBUILD_BUILD_VERSION=3D1 >>=20 >> All this said, such things would catch a malicious build host, but >> not malicious build dependencies. For example, the groundwork was >> already being laid[3] by "Jai Tan" to inject a build-time attack: >>=20 >> +eval "$($XZ --robot --version)" || exit > > Fortunately vigilance on commit review caught that one ... > >> Any tool installed on the distro that the kernel depends on could >> manipulate the build environment. We could certainly enforce better >> sanity checks (i.e. sh-lint all the shell scripts), but defending >> against obfuscated backdoors has always been tricky. > > So on this point, I think we can't help much with build tools (except > being careful in trying to avoid making them a large set of > dependencies). On that note, I notice that Fedora builds numerous non-kernel packages as part of the kernel build, ie. in the same chroot. I see: perf, libperf, python3-perf, bpftool, rtla, rv. Which adds numerous dependencies: audit-libs-devel binutils-devel bison flex gettext java-devel libbabeltrace-devel libbpf-devel libcap-devel libcap-ng-devel libtraceevent-devel libtracefs-devel ncurses-devel newt-devel perl(ExtUtils::Embed) python3-docutils python3-setuptools xz-devel zlib-devel >From a quick look Debian does something similar. Arguably that's a distro bug, ie. they should be built separately, but AIUI it stems from the fact that they are all kept in the kernel tree. cheers