Re: [PATCH v2 0/6] module: Introduce hash-based integrity checking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2025-02-03 14:14:41+0100, Christian Heusel wrote:
> Hey Thomas,
> 
> On 25/01/20 06:44PM, Thomas Weißschuh wrote:
> > Thomas Weißschuh (6):
> >       kbuild: add stamp file for vmlinux BTF data
> >       module: Make module loading policy usable without MODULE_SIG
> >       module: Move integrity checks into dedicated function
> >       module: Move lockdown check into generic module loader
> >       lockdown: Make the relationship to MODULE_SIG a dependency
> >       module: Introduce hash-based integrity checking
> 
> thanks for working on this!
> 
> I had a look at this patch series together with kpcyrd over the weekend
> and we were able to verify that this indeed allows one to get a
> reproducible kernel image with the toolchain on Arch Linux (if the patch
> you mentioned in your cover letter is also applied), which is of course
> great news! :)

Great!
FYI the BTF patch shouldn't be necessary anymore with pahole 1.29.

> We also found a major issues with it, as adding it on top of the v6.13
> kernel and setting the needed config options while removing modules
> signatures made the kernel unable to load any module while also not
> printing any error for the failure, therefore resulting in an early boot
> failure on my machine.
> 
> Do you have any clue what could be going wrong here or what we could
> investigate? I have pushed my build config into [this repository][0] and
> also uploaded a prebuilt version (signed with my packager key)
> [here][1] (you can therefore just install it via "sudo pacman -U
> <link>").

I would guess the issue is the usage of INSTALL_MOD_STRIP.

What are the contents of .tmp_module_hashes.c ?
Do they match the hashes from the build directory and package?
You can also enable CONFIG_MODULE_DEBUG and '#define DEBUG' in
kernel/module/hashes.c

> Happy to test more stuff, feel free to CC me on any further revision /
> thread on this!

Will do!

> Cheers,
> Christian
> 
> [0]: https://gitlab.archlinux.org/gromit/linux-mainline-repro-test
> [1]: https://pkgbuild.com/~gromit/linux-bisection-kernels/linux-mainline-6.13-1.2-x86_64.pkg.tar.zst
[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]
  Powered by Linux