Hey Thomas, On 25/01/20 06:44PM, Thomas Weißschuh wrote: > Thomas Weißschuh (6): > kbuild: add stamp file for vmlinux BTF data > module: Make module loading policy usable without MODULE_SIG > module: Move integrity checks into dedicated function > module: Move lockdown check into generic module loader > lockdown: Make the relationship to MODULE_SIG a dependency > module: Introduce hash-based integrity checking thanks for working on this! I had a look at this patch series together with kpcyrd over the weekend and we were able to verify that this indeed allows one to get a reproducible kernel image with the toolchain on Arch Linux (if the patch you mentioned in your cover letter is also applied), which is of course great news! :) We also found a major issues with it, as adding it on top of the v6.13 kernel and setting the needed config options while removing modules signatures made the kernel unable to load any module while also not printing any error for the failure, therefore resulting in an early boot failure on my machine. Do you have any clue what could be going wrong here or what we could investigate? I have pushed my build config into [this repository][0] and also uploaded a prebuilt version (signed with my packager key) [here][1] (you can therefore just install it via "sudo pacman -U <link>"). Happy to test more stuff, feel free to CC me on any further revision / thread on this! Cheers, Christian [0]: https://gitlab.archlinux.org/gromit/linux-mainline-repro-test [1]: https://pkgbuild.com/~gromit/linux-bisection-kernels/linux-mainline-6.13-1.2-x86_64.pkg.tar.zst
Attachment:
signature.asc
Description: PGP signature
