| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Nov 2009 08:24:39 +0100 From: Ingo Molnar <mingo@...e.hu> To: Roland McGrath <roland@...hat.com> Cc: Masami Hiramatsu <mhiramat@...hat.com>, Arnaldo Carvalho de Melo <acme@...hat.com>, Frédéric Weisbecker <fweisbec@...il.com>, lkml <linux-kernel@...r.kernel.org>, Steven Rostedt <rostedt@...dmis.org>, Jim Keniston <jkenisto@...ibm.com>, Ananth N Mavinakayanahalli <ananth@...ibm.com>, Christoph Hellwig <hch@...radead.org>, "Frank Ch. Eigler" <fche@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, Jason Baron <jbaron@...hat.com>, "K.Prasad" <prasad@...ux.vnet.ibm.com>, Peter Zijlstra <peterz@...radead.org>, Srikar Dronamraju <srikar@...ux.vnet.ibm.com>, systemtap <systemtap@...rces.redhat.com>, DLE <dle-develop@...ts.sourceforge.net> Subject: Re: [PATCH -tip perf/probes 00/10] x86 insn decoder bugfixes * Roland McGrath <roland@...hat.com> wrote: > > Thirdly, i think we should expose the build-id of the kernel and the > > path to the vmlinux (and modules) via /proc/build-id or so. That way > > tooling can find the vmlinux file and can validate that it matches > > the kernel's signature. (maybe include a file date as well - that's > > a faster check than a full build-id checksum, especially for large > > kernels) > > You seem to be confused about what build IDs are. There is no > "checksum validation". Once the bits are stored there is no > calculation ever done again, only exact comparison with an expected > build ID bitstring. The size of an object file is immaterial. > > As Frank mentioned, the kernel's and modules' allocated ELF notes (and > thus build IDs) are already exposed in /sys. Tools like "eu-unstrip > -nk" use this information today. Ah, i didnt realize we link with --build-id already, unconditonally, since v2.6.23 (if ld supports it): | | From 18991197b4b588255ccabf472ebc84db7b66a19c Mon Sep 17 00:00:00 2001 | From: Roland McGrath <roland@...hat.com> | Date: Thu, 19 Jul 2007 01:48:40 -0700 | Subject: [PATCH] Use --build-id ld option | | This change passes the --build-id when linking the kernel and when | linking modules, if ld supports it. This is a new GNU ld option that | synthesizes an ELF note section inside the read-only data. The note in | this section contains unique identifying bits called the "build ID", | which are generated so as to be different for any two linked ELF files | that aren't identical. | So we have an SHA1 build-id already on the vmlinux and on modules, and it's exposed in /sys/*/*/notes. Just have to make use of it in tools/perf too. The other useful addition i mentioned isnt implemented yet: to emit an ELF note of the absolute path of the output directory the kernel was built in as well. This information is not available right now, and it would be a place to look in to search for the vmlinux and the modules. What do you think? Also, if we do this, is there a standard way to name it , or should i just pick a suitably new, Linux-specific name for that? Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists