lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f1dca9daa01d0d2432c12ecabede3fa1389b1d29.camel@HansenPartnership.com>
Date: Tue, 29 Apr 2025 10:05:04 -0400
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Thomas Weißschuh <linux@...ssschuh.net>, Masahiro
 Yamada <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Arnd
 Bergmann <arnd@...db.de>, Luis Chamberlain <mcgrof@...nel.org>, Petr Pavlu
 <petr.pavlu@...e.com>, Sami Tolvanen <samitolvanen@...gle.com>, Daniel
 Gomez <da.gomez@...sung.com>, Paul Moore <paul@...l-moore.com>, James
 Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Jonathan
 Corbet <corbet@....net>, Madhavan Srinivasan <maddy@...ux.ibm.com>, Michael
 Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>,
 Christophe Leroy <christophe.leroy@...roup.eu>, Naveen N Rao
 <naveen@...nel.org>, Mimi Zohar <zohar@...ux.ibm.com>, Roberto Sassu
 <roberto.sassu@...wei.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
 Eric Snowberg <eric.snowberg@...cle.com>, Nicolas Schier
 <nicolas.schier@...ux.dev>
Cc: Fabian Grünbichler <f.gruenbichler@...xmox.com>, 
 Arnout Engelen <arnout@...t.net>, Mattia Rizzolo <mattia@...reri.org>,
 kpcyrd <kpcyrd@...hlinux.org>, Christian Heusel <christian@...sel.eu>, 
 Câju Mihai-Drosi <mcaju95@...il.com>,
 linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org, 
 linux-arch@...r.kernel.org, linux-modules@...r.kernel.org, 
 linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org, 
 linuxppc-dev@...ts.ozlabs.org, linux-integrity@...r.kernel.org
Subject: Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking

On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> The current signature-based module integrity checking has some
> drawbacks in combination with reproducible builds:
> Either the module signing key is generated at build time, which makes
> the build unreproducible,

I don't believe it does: as long as you know what the key was, which
you can get from the kernel keyring, you can exactly reproduce the core
build (it's a public key after all and really equivalent to built in
configuration).  Is the fact that you have to boot the kernel to get
the key the problem?  In which case we could insist it be shipped in
the kernel packaging.

>  or a static key is used, which precludes rebuilds by third parties
> and makes the whole build and packaging process much more
> complicated. 

No, it's the same as above ... as long as you have the public key you
can reproduce the core build with the same end to end hash.

However, is there also a corresponding question of how we verify
reproduceability of kernel builds (and the associated modules ... I
assume for the modules you do strip the appended signature)?  I assume
you're going by the secure boot hash (authenticode hash of the efi stub
and the compressed payload which includes the key).  However, if we had
the vmlinux.o we could do a much more nuanced hash to verify the build,
say by placing the keyring data in a section that isn't hashed.

Regards,

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ