[PATCH v3 0/9] module: Introduce hash-based integrity checking
James Bottomley
James.Bottomley at HansenPartnership.com
Wed Apr 30 00:05:04 AEST 2025
On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> The current signature-based module integrity checking has some
> drawbacks in combination with reproducible builds:
> Either the module signing key is generated at build time, which makes
> the build unreproducible,
I don't believe it does: as long as you know what the key was, which
you can get from the kernel keyring, you can exactly reproduce the core
build (it's a public key after all and really equivalent to built in
configuration). Is the fact that you have to boot the kernel to get
the key the problem? In which case we could insist it be shipped in
the kernel packaging.
> or a static key is used, which precludes rebuilds by third parties
> and makes the whole build and packaging process much more
> complicated.
No, it's the same as above ... as long as you have the public key you
can reproduce the core build with the same end to end hash.
However, is there also a corresponding question of how we verify
reproduceability of kernel builds (and the associated modules ... I
assume for the modules you do strip the appended signature)? I assume
you're going by the secure boot hash (authenticode hash of the efi stub
and the compressed payload which includes the key). However, if we had
the vmlinux.o we could do a much more nuanced hash to verify the build,
say by placing the keyring data in a section that isn't hashed.
Regards,
James
More information about the Linuxppc-dev
mailing list