[PATCH RFC 0/2] module: Introduce hash-based integrity checking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The current signature-based module integrity checking has some drawbacks
in combination with reproducible builds:
Either the module signing key is generated at build time, which makes
the build unreproducible, or a static key is used, which precludes
rebuilds by third parties and makes the whole build and packaging
process much more complicated.
Introduce a new mechanism to ensure only well-known modules are loaded
by embedding a list of hashes of all modules built as part of the full
kernel build into vmlinux.

To properly test the reproducibility in combination with BTF the patch
"[PATCH bpf-next] kbuild, bpf: Enable reproducible BTF generation" [0]
is also needed.

Questions for current patch:
* Naming
* Can the number of built-in modules be retrieved while building
  kernel/module/hashes.o? This would remove the need for the
  preallocation step in link-vmlinux.sh.

Further improvements:
* Use a LSM/IMA/Keyring to store and validate hashes
* Make compatible with lockdown
* Use MODULE_SIG_HASH for configuration
* Enable coexistence with MODULE_SIG
* Set mod->sig_ok()
* UAPI for discovery?

[0] https://lore.kernel.org/lkml/20241211-pahole-reproducible-v1-1-22feae19bad9@xxxxxxxxxxxxxx/

Signed-off-by: Thomas Weißschuh <linux@xxxxxxxxxxxxxx>
---
Thomas Weißschuh (2):
      kbuild: add stamp file for vmlinux BTF data
      module: Introduce hash-based integrity checking

 Makefile                          |  8 +++++-
 include/asm-generic/vmlinux.lds.h | 11 +++++++++
 include/linux/module_hashes.h     | 17 +++++++++++++
 kernel/module/Kconfig             | 11 +++++++++
 kernel/module/Makefile            |  1 +
 kernel/module/hashes.c            | 51 +++++++++++++++++++++++++++++++++++++++
 kernel/module/internal.h          |  9 +++++++
 kernel/module/main.c              |  4 +++
 scripts/Makefile.modfinal         |  4 +--
 scripts/Makefile.vmlinux          |  5 ++++
 scripts/link-vmlinux.sh           | 31 +++++++++++++++++++++++-
 scripts/module-hashes.sh          | 26 ++++++++++++++++++++
 12 files changed, 174 insertions(+), 4 deletions(-)
---
base-commit: f722972b5df307d8c93c706c62d2e27e963c8f66
change-id: 20241225-module-hashes-7a50a7cc2a30

Best regards,
-- 
Thomas Weißschuh <linux@xxxxxxxxxxxxxx>
[Index of Archives]     [Linux Kernel]     [Kernel Newbies]     [x86 Platform Driver]     [Netdev]     [Linux Wireless]     [Netfilter]     [Bugtraq]     [Linux Filesystems]     [Yosemite Discussion]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]

  Powered by Linux