lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <91eadb0b-d898-43ca-9c10-48363e1c3e7a@gmail.com>
Date: Sat, 25 Jan 2025 23:16:27 +0200
From: Câju Mihai-Drosi <mcaju95@...il.com>
To: Thomas Weißschuh <linux@...ssschuh.net>,
 Masahiro Yamada <masahiroy@...nel.org>, Nathan Chancellor
 <nathan@...nel.org>, Nicolas Schier <nicolas@...sle.eu>,
 Arnd Bergmann <arnd@...db.de>, Luis Chamberlain <mcgrof@...nel.org>,
 Petr Pavlu <petr.pavlu@...e.com>, Sami Tolvanen <samitolvanen@...gle.com>,
 Daniel Gomez <da.gomez@...sung.com>, Paul Moore <paul@...l-moore.com>,
 James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>,
 Jonathan Corbet <corbet@....net>
Cc: Fabian Grünbichler <f.gruenbichler@...xmox.com>,
 Arnout Engelen <arnout@...t.net>, Mattia Rizzolo <mattia@...reri.org>,
 kpcyrd <kpcyrd@...hlinux.org>, linux-kbuild@...r.kernel.org,
 linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
 linux-modules@...r.kernel.org, linux-security-module@...r.kernel.org,
 linux-doc@...r.kernel.org
Subject: Re: [PATCH v2 0/6] module: Introduce hash-based integrity checking

On 1/20/25 19:44, Thomas Weißschuh wrote:
> The current signature-based module integrity checking has some drawbacks
> in combination with reproducible builds:
> Either the module signing key is generated at build time, which makes
> the build unreproducible, or a static key is used, which precludes
> rebuilds by third parties and makes the whole build and packaging
> process much more complicated.
> Introduce a new mechanism to ensure only well-known modules are loaded
> by embedding a list of hashes of all modules built as part of the full
> kernel build into vmlinux.
> 
> Interest has been proclaimed by NixOS, Arch Linux, Proxmox, SUSE and the
> general reproducible builds community.
> 
> To properly test the reproducibility in combination with CONFIG_INFO_BTF
> another patch is needed:
> "[PATCH bpf-next] kbuild, bpf: Enable reproducible BTF generation" [0]
> (If you happen to test that one, please give some feedback)
> 
> Questions for current patch:
> * Naming
> * Can the number of built-in modules be retrieved while building
>    kernel/module/hashes.o? This would remove the need for the
>    preallocation step in link-vmlinux.sh.
> 
> Further improvements:
> * Use a LSM/IMA/Keyring to store and validate hashes
> * Use MODULE_SIG_HASH for configuration
> * UAPI for discovery?
> 
> [0] https://lore.kernel.org/lkml/20241211-pahole-reproducible-v1-1-22feae19bad9@weissschuh.net/

Hello,

Thank you for your work on helping to enable kernel lockdown coupled 
with reproducible builds.

This may be out scope for this patch series, however I think it is worth 
considering: How does one include hashes of modules that have not been 
built as part of the kernel into the array? For example a DKMS module or 
NVIDIA driver?

A solution that may be worth considering would be to include a list of 
modules hashes into the kernel command-line. It may be even worth 
considering keeping a dynamic array of hashes that can be locked at a 
given point in time?

All the best,
Mihai

> 
> Signed-off-by: Thomas Weißschuh <linux@...ssschuh.net>
> ---
> Changes in v2:
> - Drop RFC state
> - Mention interested parties in cover letter
> - Expand Kconfig description
> - Add compatibility with CONFIG_MODULE_SIG
> - Parallelize module-hashes.sh
> - Update Documentation/kbuild/reproducible-builds.rst
> - Link to v1: https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net
> 
> ---
> Thomas Weißschuh (6):
>        kbuild: add stamp file for vmlinux BTF data
>        module: Make module loading policy usable without MODULE_SIG
>        module: Move integrity checks into dedicated function
>        module: Move lockdown check into generic module loader
>        lockdown: Make the relationship to MODULE_SIG a dependency
>        module: Introduce hash-based integrity checking
> 
>   .gitignore                                   |  1 +
>   Documentation/kbuild/reproducible-builds.rst |  5 ++-
>   Makefile                                     |  8 ++++-
>   include/asm-generic/vmlinux.lds.h            | 11 ++++++
>   include/linux/module.h                       |  8 ++---
>   include/linux/module_hashes.h                | 17 +++++++++
>   kernel/module/Kconfig                        | 21 ++++++++++-
>   kernel/module/Makefile                       |  1 +
>   kernel/module/hashes.c                       | 52 +++++++++++++++++++++++++++
>   kernel/module/internal.h                     |  8 +----
>   kernel/module/main.c                         | 54 +++++++++++++++++++++++++---
>   kernel/module/signing.c                      | 24 +------------
>   scripts/Makefile.modfinal                    | 10 ++++--
>   scripts/Makefile.vmlinux                     |  5 +++
>   scripts/link-vmlinux.sh                      | 31 +++++++++++++++-
>   scripts/module-hashes.sh                     | 26 ++++++++++++++
>   security/lockdown/Kconfig                    |  2 +-
>   17 files changed, 238 insertions(+), 46 deletions(-)
> ---
> base-commit: 2cd5917560a84d69dd6128b640d7a68406ff019b
> change-id: 20241225-module-hashes-7a50a7cc2a30
> 
> Best regards,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ