Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking

[PATCH v3 0/9] module: Introduce hash-based integrity checking · Thomas Weißschuh <linux@weissschuh.net> · 2025-04-29
[PATCH v3 4/9] kbuild: generate module BTF based on vmlinux.unstripped · Thomas Weißschuh <linux@weissschuh.net> · 2025-04-29
[PATCH v3 1/9] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG · Thomas Weißschuh <linux@weissschuh.net> · 2025-04-29
Re: [PATCH v3 1/9] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG · Mimi Zohar <zohar@linux.ibm.com> · 2025-05-14
[PATCH v3 6/9] module: Move integrity checks into dedicated function · Thomas Weißschuh <linux@weissschuh.net> · 2025-04-29
[PATCH v3 5/9] module: Make module loading policy usable without MODULE_SIG · Thomas Weißschuh <linux@weissschuh.net> · 2025-04-29
[PATCH v3 8/9] lockdown: Make the relationship to MODULE_SIG a dependency · Thomas Weißschuh <linux@weissschuh.net> · 2025-04-29
Re: [PATCH v3 8/9] lockdown: Make the relationship to MODULE_SIG a dependency · Paul Moore <paul@paul-moore.com> · 2025-04-29
[PATCH v3 9/9] module: Introduce hash-based integrity checking · Thomas Weißschuh <linux@weissschuh.net> · 2025-04-29
[PATCH v3 3/9] kbuild: add stamp file for vmlinux BTF data · Thomas Weißschuh <linux@weissschuh.net> · 2025-04-29
[PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG · Thomas Weißschuh <linux@weissschuh.net> · 2025-04-29
Re: [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG · Mimi Zohar <zohar@linux.ibm.com> · 2025-05-14
Re: [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG · Mimi Zohar <zohar@linux.ibm.com> · 2025-05-14
Re: [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG · Thomas Weißschuh <linux@weissschuh.net> · 2025-05-14
Re: [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG · Mimi Zohar <zohar@linux.ibm.com> · 2025-05-14
[PATCH v3 7/9] module: Move lockdown check into generic module loader · Thomas Weißschuh <linux@weissschuh.net> · 2025-04-29
Re: [PATCH v3 7/9] module: Move lockdown check into generic module loader · Sebastian Andrzej Siewior <bigeasy@linutronix.de> · 2025-11-19
Re: [PATCH v3 7/9] module: Move lockdown check into generic module loader · Paul Moore <paul@paul-moore.com> · 2025-11-19
Re: [PATCH v3 7/9] module: Move lockdown check into generic module loader · Sebastian Andrzej Siewior <bigeasy@linutronix.de> · 2025-11-23
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-04-29
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · Thomas Weißschuh <linux@weissschuh.net> · 2025-05-02
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-05-02
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · kpcyrd <hidden> · 2025-05-02
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-05-06
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · Arnout Engelen <hidden> · 2025-05-03
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-05-06
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · Arnout Engelen <hidden> · 2025-05-07
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-05-07
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · Fabian Grünbichler <hidden> · 2025-05-08
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · Sebastian Andrzej Siewior <bigeasy@linutronix.de> · 2025-11-19
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · Sebastian Andrzej Siewior <hidden> · 2025-11-23
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · Thomas Weißschuh <linux@weissschuh.net> · 2025-11-24
Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking · Mimi Zohar <zohar@linux.ibm.com> · 2025-05-16

From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date: 2025-11-19 15:48:41
Also in: linux-arch, linux-doc, linux-integrity, linux-kbuild, linux-modules, linux-security-module, lkml

On 2025-04-29 10:05:04 [-0400], James Bottomley wrote:

On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:

quoted

The current signature-based module integrity checking has some
drawbacks in combination with reproducible builds:
Either the module signing key is generated at build time, which makes
the build unreproducible,

I don't believe it does: as long as you know what the key was, which
you can get from the kernel keyring, you can exactly reproduce the core
build (it's a public key after all and really equivalent to built in
configuration).  Is the fact that you have to boot the kernel to get
the key the problem?  In which case we could insist it be shipped in
the kernel packaging.

The kernel itself is signed. This is not a problem because distros have
the "unsigned" package which is used for comparison.
The modules are signed by an ephemeral key which is created at build
time. This is where the problem starts:
- the public key is embedded into the kernel. Extracting it with tooling
  is possible (or it is part of the kernel package). Adding this key
  into the build process while rebuilding the kernel should work.
  This will however alter the build process and is not *the* original
  one, which was used to build the image.

- the private key remains unknown which means the modules can not be
  signed. The rebuilding would need to get past this limitation and the
  logic must not be affected by this "change". Then the modules need to
  be stripped of their signature for the comparison.

Doing all this requires additional handling/ tooling on the "validation"
infrastructure. This infrastructure works currently without special
care.
Adding special care will not build the package exactly like it has been
built originally _and_ the results need to be interpreted (as in we
remove this signature and do this and now it is fine).

Adding hashes of each module into the kernel image looks like a
reasonable thing to do. I don't see any downsides to this. Yes, you are
limited to the modules available at build time but this is also the case
today with the ephemeral key. It is meant for distros not for individual
developers testing their code.

With this change it is possible to build a kernel and its modules and
put the result in an archive such as tar/ deb/ rpm. You can build the
package _again_ following exactly the same steps as you did before and
the result will be the identical archive.
Bit by bit.
No need for interpreting the results, stripping signatures or altering
the build process.

I fully agree with this approach. I don't like the big hash array but I
have an idea how to optimize that part. So I don't see a problem in the
long term.

Regards,

James

Sebastian

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help