On Mon, 2025-01-20 at 18:44 +0100, Thomas Weißschuh wrote: > The current signature-based module integrity checking has some drawbacks > in combination with reproducible builds: > Either the module signing key is generated at build time, which makes > the build unreproducible, or a static key is used, which precludes > rebuilds by third parties and makes the whole build and packaging > process much more complicated. > Introduce a new mechanism to ensure only well-known modules are loaded > by embedding a list of hashes of all modules built as part of the full > kernel build into vmlinux. > > Interest has been proclaimed by NixOS, Arch Linux, Proxmox, SUSE and the > general reproducible builds community. > > To properly test the reproducibility in combination with CONFIG_INFO_BTF > another patch is needed: > "[PATCH bpf-next] kbuild, bpf: Enable reproducible BTF generation" [0] > (If you happen to test that one, please give some feedback) > > Questions for current patch: > * Naming > * Can the number of built-in modules be retrieved while building > kernel/module/hashes.o? This would remove the need for the > preallocation step in link-vmlinux.sh. > > Further improvements: > * Use a LSM/IMA/Keyring to store and validate hashes + linux-integrity, Mimi Hi Thomas I developed something related to it, it is called Integrity Digest Cache [1]. It has the ability to store in the kernel memory a cache of digests extracted from a file (or if desired in the future, from a reserved area in the kernel image). It exposes an API to query a digest (get/lookup/put) from a digest cache and to verify whether or not the integrity of the file digests were extracted from was verified by IMA or another LSM (verif_set/verif_get). Roberto [1]: https://lore.kernel.org/linux-integrity/20241119104922.2772571-1-roberto.sassu@xxxxxxxxxxxxxxx/ > * Use MODULE_SIG_HASH for configuration > * UAPI for discovery? > > [0] https://lore.kernel.org/lkml/20241211-pahole-reproducible-v1-1-22feae19bad9@xxxxxxxxxxxxxx/ > > Signed-off-by: Thomas Weißschuh <linux@xxxxxxxxxxxxxx> > --- > Changes in v2: > - Drop RFC state > - Mention interested parties in cover letter > - Expand Kconfig description > - Add compatibility with CONFIG_MODULE_SIG > - Parallelize module-hashes.sh > - Update Documentation/kbuild/reproducible-builds.rst > - Link to v1: https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@xxxxxxxxxxxxxx > > --- > Thomas Weißschuh (6): > kbuild: add stamp file for vmlinux BTF data > module: Make module loading policy usable without MODULE_SIG > module: Move integrity checks into dedicated function > module: Move lockdown check into generic module loader > lockdown: Make the relationship to MODULE_SIG a dependency > module: Introduce hash-based integrity checking > > .gitignore | 1 + > Documentation/kbuild/reproducible-builds.rst | 5 ++- > Makefile | 8 ++++- > include/asm-generic/vmlinux.lds.h | 11 ++++++ > include/linux/module.h | 8 ++--- > include/linux/module_hashes.h | 17 +++++++++ > kernel/module/Kconfig | 21 ++++++++++- > kernel/module/Makefile | 1 + > kernel/module/hashes.c | 52 +++++++++++++++++++++++++++ > kernel/module/internal.h | 8 +---- > kernel/module/main.c | 54 +++++++++++++++++++++++++--- > kernel/module/signing.c | 24 +------------ > scripts/Makefile.modfinal | 10 ++++-- > scripts/Makefile.vmlinux | 5 +++ > scripts/link-vmlinux.sh | 31 +++++++++++++++- > scripts/module-hashes.sh | 26 ++++++++++++++ > security/lockdown/Kconfig | 2 +- > 17 files changed, 238 insertions(+), 46 deletions(-) > --- > base-commit: 2cd5917560a84d69dd6128b640d7a68406ff019b > change-id: 20241225-module-hashes-7a50a7cc2a30 > > Best regards,
