Hey Thomas,

On 25/01/20 06:44PM, Thomas Weißschuh wrote:

Thomas Weißschuh (6):
      kbuild: add stamp file for vmlinux BTF data
      module: Make module loading policy usable without MODULE_SIG
      module: Move integrity checks into dedicated function
      module: Move lockdown check into generic module loader
      lockdown: Make the relationship to MODULE_SIG a dependency
      module: Introduce hash-based integrity checking

thanks for working on this!

I had a look at this patch series together with kpcyrd over the weekend
and we were able to verify that this indeed allows one to get a
reproducible kernel image with the toolchain on Arch Linux (if the patch
you mentioned in your cover letter is also applied), which is of course
great news! :)

We also found a major issues with it, as adding it on top of the v6.13
kernel and setting the needed config options while removing modules
signatures made the kernel unable to load any module while also not
printing any error for the failure, therefore resulting in an early boot
failure on my machine.

Do you have any clue what could be going wrong here or what we could
investigate? I have pushed my build config into [this repository][0] and
also uploaded a prebuilt version (signed with my packager key)
[here][1] (you can therefore just install it via "sudo pacman -U
<link>").

Happy to test more stuff, feel free to CC me on any further revision /
thread on this!

Cheers,
Christian

[0]: https://gitlab.archlinux.org/gromit/linux-mainline-repro-test
[1]: https://pkgbuild.com/~gromit/linux-bisection-kernels/linux-mainline-6.13-1.2-x86_64.pkg.tar.zst