lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <62c93d58-2e27-4304-a6ad-36aa932f18ac@heusel.eu>
Date: Mon, 3 Feb 2025 14:14:41 +0100
From: Christian Heusel <christian@...sel.eu>
To: Thomas Weißschuh <linux@...ssschuh.net>
Cc: Masahiro Yamada <masahiroy@...nel.org>, 
	Nathan Chancellor <nathan@...nel.org>, Nicolas Schier <nicolas@...sle.eu>, 
	Arnd Bergmann <arnd@...db.de>, Luis Chamberlain <mcgrof@...nel.org>, 
	Petr Pavlu <petr.pavlu@...e.com>, Sami Tolvanen <samitolvanen@...gle.com>, 
	Daniel Gomez <da.gomez@...sung.com>, Paul Moore <paul@...l-moore.com>, 
	James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, 
	Jonathan Corbet <corbet@....net>, Fabian Grünbichler <f.gruenbichler@...xmox.com>, 
	Arnout Engelen <arnout@...t.net>, Mattia Rizzolo <mattia@...reri.org>, 
	kpcyrd <kpcyrd@...hlinux.org>, linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org, 
	linux-arch@...r.kernel.org, linux-modules@...r.kernel.org, 
	linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org, linux-integrity@...r.kernel.org
Subject: Re: [PATCH v2 0/6] module: Introduce hash-based integrity checking

Hey Thomas,

On 25/01/20 06:44PM, Thomas Weißschuh wrote:
> Thomas Weißschuh (6):
>       kbuild: add stamp file for vmlinux BTF data
>       module: Make module loading policy usable without MODULE_SIG
>       module: Move integrity checks into dedicated function
>       module: Move lockdown check into generic module loader
>       lockdown: Make the relationship to MODULE_SIG a dependency
>       module: Introduce hash-based integrity checking

thanks for working on this!

I had a look at this patch series together with kpcyrd over the weekend
and we were able to verify that this indeed allows one to get a
reproducible kernel image with the toolchain on Arch Linux (if the patch
you mentioned in your cover letter is also applied), which is of course
great news! :)

We also found a major issues with it, as adding it on top of the v6.13
kernel and setting the needed config options while removing modules
signatures made the kernel unable to load any module while also not
printing any error for the failure, therefore resulting in an early boot
failure on my machine.

Do you have any clue what could be going wrong here or what we could
investigate? I have pushed my build config into [this repository][0] and
also uploaded a prebuilt version (signed with my packager key)
[here][1] (you can therefore just install it via "sudo pacman -U
<link>").

Happy to test more stuff, feel free to CC me on any further revision /
thread on this!

Cheers,
Christian

[0]: https://gitlab.archlinux.org/gromit/linux-mainline-repro-test
[1]: https://pkgbuild.com/~gromit/linux-bisection-kernels/linux-mainline-6.13-1.2-x86_64.pkg.tar.zst

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ