lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250120-module-hashes-v2-0-ba1184e27b7f@weissschuh.net>
Date: Mon, 20 Jan 2025 18:44:19 +0100
From: Thomas Weißschuh <linux@...ssschuh.net>
To: Masahiro Yamada <masahiroy@...nel.org>, 
 Nathan Chancellor <nathan@...nel.org>, Nicolas Schier <nicolas@...sle.eu>, 
 Arnd Bergmann <arnd@...db.de>, Luis Chamberlain <mcgrof@...nel.org>, 
 Petr Pavlu <petr.pavlu@...e.com>, Sami Tolvanen <samitolvanen@...gle.com>, 
 Daniel Gomez <da.gomez@...sung.com>, Paul Moore <paul@...l-moore.com>, 
 James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, 
 Jonathan Corbet <corbet@....net>
Cc: Fabian Grünbichler <f.gruenbichler@...xmox.com>, 
 Arnout Engelen <arnout@...t.net>, Mattia Rizzolo <mattia@...reri.org>, 
 kpcyrd <kpcyrd@...hlinux.org>, linux-kbuild@...r.kernel.org, 
 linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org, 
 linux-modules@...r.kernel.org, linux-security-module@...r.kernel.org, 
 linux-doc@...r.kernel.org, 
 Thomas Weißschuh <linux@...ssschuh.net>
Subject: [PATCH v2 0/6] module: Introduce hash-based integrity checking

The current signature-based module integrity checking has some drawbacks
in combination with reproducible builds:
Either the module signing key is generated at build time, which makes
the build unreproducible, or a static key is used, which precludes
rebuilds by third parties and makes the whole build and packaging
process much more complicated.
Introduce a new mechanism to ensure only well-known modules are loaded
by embedding a list of hashes of all modules built as part of the full
kernel build into vmlinux.

Interest has been proclaimed by NixOS, Arch Linux, Proxmox, SUSE and the
general reproducible builds community.

To properly test the reproducibility in combination with CONFIG_INFO_BTF
another patch is needed:
"[PATCH bpf-next] kbuild, bpf: Enable reproducible BTF generation" [0]
(If you happen to test that one, please give some feedback)

Questions for current patch:
* Naming
* Can the number of built-in modules be retrieved while building
  kernel/module/hashes.o? This would remove the need for the
  preallocation step in link-vmlinux.sh.

Further improvements:
* Use a LSM/IMA/Keyring to store and validate hashes
* Use MODULE_SIG_HASH for configuration
* UAPI for discovery?

[0] https://lore.kernel.org/lkml/20241211-pahole-reproducible-v1-1-22feae19bad9@weissschuh.net/

Signed-off-by: Thomas Weißschuh <linux@...ssschuh.net>
---
Changes in v2:
- Drop RFC state
- Mention interested parties in cover letter
- Expand Kconfig description
- Add compatibility with CONFIG_MODULE_SIG
- Parallelize module-hashes.sh
- Update Documentation/kbuild/reproducible-builds.rst
- Link to v1: https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net

---
Thomas Weißschuh (6):
      kbuild: add stamp file for vmlinux BTF data
      module: Make module loading policy usable without MODULE_SIG
      module: Move integrity checks into dedicated function
      module: Move lockdown check into generic module loader
      lockdown: Make the relationship to MODULE_SIG a dependency
      module: Introduce hash-based integrity checking

 .gitignore                                   |  1 +
 Documentation/kbuild/reproducible-builds.rst |  5 ++-
 Makefile                                     |  8 ++++-
 include/asm-generic/vmlinux.lds.h            | 11 ++++++
 include/linux/module.h                       |  8 ++---
 include/linux/module_hashes.h                | 17 +++++++++
 kernel/module/Kconfig                        | 21 ++++++++++-
 kernel/module/Makefile                       |  1 +
 kernel/module/hashes.c                       | 52 +++++++++++++++++++++++++++
 kernel/module/internal.h                     |  8 +----
 kernel/module/main.c                         | 54 +++++++++++++++++++++++++---
 kernel/module/signing.c                      | 24 +------------
 scripts/Makefile.modfinal                    | 10 ++++--
 scripts/Makefile.vmlinux                     |  5 +++
 scripts/link-vmlinux.sh                      | 31 +++++++++++++++-
 scripts/module-hashes.sh                     | 26 ++++++++++++++
 security/lockdown/Kconfig                    |  2 +-
 17 files changed, 238 insertions(+), 46 deletions(-)
---
base-commit: 2cd5917560a84d69dd6128b640d7a68406ff019b
change-id: 20241225-module-hashes-7a50a7cc2a30

Best regards,
-- 
Thomas Weißschuh <linux@...ssschuh.net>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ