lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net>
Date: Wed, 25 Dec 2024 23:51:58 +0100
From: Thomas Weißschuh <linux@...ssschuh.net>
To: Masahiro Yamada <masahiroy@...nel.org>, 
 Nathan Chancellor <nathan@...nel.org>, Nicolas Schier <nicolas@...sle.eu>, 
 Arnd Bergmann <arnd@...db.de>, Luis Chamberlain <mcgrof@...nel.org>, 
 Petr Pavlu <petr.pavlu@...e.com>, Sami Tolvanen <samitolvanen@...gle.com>, 
 Daniel Gomez <da.gomez@...sung.com>
Cc: linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org, 
 linux-arch@...r.kernel.org, linux-modules@...r.kernel.org, 
 Thomas Weißschuh <linux@...ssschuh.net>
Subject: [PATCH RFC 0/2] module: Introduce hash-based integrity checking

The current signature-based module integrity checking has some drawbacks
in combination with reproducible builds:
Either the module signing key is generated at build time, which makes
the build unreproducible, or a static key is used, which precludes
rebuilds by third parties and makes the whole build and packaging
process much more complicated.
Introduce a new mechanism to ensure only well-known modules are loaded
by embedding a list of hashes of all modules built as part of the full
kernel build into vmlinux.

To properly test the reproducibility in combination with BTF the patch
"[PATCH bpf-next] kbuild, bpf: Enable reproducible BTF generation" [0]
is also needed.

Questions for current patch:
* Naming
* Can the number of built-in modules be retrieved while building
  kernel/module/hashes.o? This would remove the need for the
  preallocation step in link-vmlinux.sh.

Further improvements:
* Use a LSM/IMA/Keyring to store and validate hashes
* Make compatible with lockdown
* Use MODULE_SIG_HASH for configuration
* Enable coexistence with MODULE_SIG
* Set mod->sig_ok()
* UAPI for discovery?

[0] https://lore.kernel.org/lkml/20241211-pahole-reproducible-v1-1-22feae19bad9@weissschuh.net/

Signed-off-by: Thomas Weißschuh <linux@...ssschuh.net>
---
Thomas Weißschuh (2):
      kbuild: add stamp file for vmlinux BTF data
      module: Introduce hash-based integrity checking

 Makefile                          |  8 +++++-
 include/asm-generic/vmlinux.lds.h | 11 +++++++++
 include/linux/module_hashes.h     | 17 +++++++++++++
 kernel/module/Kconfig             | 11 +++++++++
 kernel/module/Makefile            |  1 +
 kernel/module/hashes.c            | 51 +++++++++++++++++++++++++++++++++++++++
 kernel/module/internal.h          |  9 +++++++
 kernel/module/main.c              |  4 +++
 scripts/Makefile.modfinal         |  4 +--
 scripts/Makefile.vmlinux          |  5 ++++
 scripts/link-vmlinux.sh           | 31 +++++++++++++++++++++++-
 scripts/module-hashes.sh          | 26 ++++++++++++++++++++
 12 files changed, 174 insertions(+), 4 deletions(-)
---
base-commit: f722972b5df307d8c93c706c62d2e27e963c8f66
change-id: 20241225-module-hashes-7a50a7cc2a30

Best regards,
-- 
Thomas Weißschuh <linux@...ssschuh.net>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ