On 1/20/25 19:44, Thomas Weißschuh wrote:

The current signature-based module integrity checking has some drawbacks
in combination with reproducible builds:
Either the module signing key is generated at build time, which makes
the build unreproducible, or a static key is used, which precludes
rebuilds by third parties and makes the whole build and packaging
process much more complicated.
Introduce a new mechanism to ensure only well-known modules are loaded
by embedding a list of hashes of all modules built as part of the full
kernel build into vmlinux.

Interest has been proclaimed by NixOS, Arch Linux, Proxmox, SUSE and the
general reproducible builds community.

To properly test the reproducibility in combination with CONFIG_INFO_BTF
another patch is needed:
"[PATCH bpf-next] kbuild, bpf: Enable reproducible BTF generation" [0]
(If you happen to test that one, please give some feedback)

Questions for current patch:
* Naming
* Can the number of built-in modules be retrieved while building
   kernel/module/hashes.o? This would remove the need for the
   preallocation step in link-vmlinux.sh.

Further improvements:
* Use a LSM/IMA/Keyring to store and validate hashes
* Use MODULE_SIG_HASH for configuration
* UAPI for discovery?

[0] https://lore.kernel.org/lkml/20241211-pahole-reproducible-v1-1-22feae19bad9@weissschuh.net/ (local)

Hello,

Thank you for your work on helping to enable kernel lockdown coupled 
with reproducible builds.

This may be out scope for this patch series, however I think it is worth 
considering: How does one include hashes of modules that have not been 
built as part of the kernel into the array? For example a DKMS module or 
NVIDIA driver?

A solution that may be worth considering would be to include a list of 
modules hashes into the kernel command-line. It may be even worth 
considering keeping a dynamic array of hashes that can be locked at a 
given point in time?

All the best,
Mihai

Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
Changes in v2:
- Drop RFC state
- Mention interested parties in cover letter
- Expand Kconfig description
- Add compatibility with CONFIG_MODULE_SIG
- Parallelize module-hashes.sh
- Update Documentation/kbuild/reproducible-builds.rst
- Link to v1: https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net (local)

---
Thomas Weißschuh (6):
       kbuild: add stamp file for vmlinux BTF data
       module: Make module loading policy usable without MODULE_SIG
       module: Move integrity checks into dedicated function
       module: Move lockdown check into generic module loader
       lockdown: Make the relationship to MODULE_SIG a dependency
       module: Introduce hash-based integrity checking

  .gitignore                                   |  1 +
  Documentation/kbuild/reproducible-builds.rst |  5 ++-
  Makefile                                     |  8 ++++-
  include/asm-generic/vmlinux.lds.h            | 11 ++++++
  include/linux/module.h                       |  8 ++---
  include/linux/module_hashes.h                | 17 +++++++++
  kernel/module/Kconfig                        | 21 ++++++++++-
  kernel/module/Makefile                       |  1 +
  kernel/module/hashes.c                       | 52 +++++++++++++++++++++++++++
  kernel/module/internal.h                     |  8 +----
  kernel/module/main.c                         | 54 +++++++++++++++++++++++++---
  kernel/module/signing.c                      | 24 +------------
  scripts/Makefile.modfinal                    | 10 ++++--
  scripts/Makefile.vmlinux                     |  5 +++
  scripts/link-vmlinux.sh                      | 31 +++++++++++++++-
  scripts/module-hashes.sh                     | 26 ++++++++++++++
  security/lockdown/Kconfig                    |  2 +-
  17 files changed, 238 insertions(+), 46 deletions(-)
---
base-commit: 2cd5917560a84d69dd6128b640d7a68406ff019b
change-id: 20241225-module-hashes-7a50a7cc2a30

Best regards,