| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e619a81c6e72f5e22fe0f8b267574036d7b7e43c.camel@HansenPartnership.com> Date: Tue, 06 May 2025 09:21:48 -0400 From: James Bottomley <James.Bottomley@...senPartnership.com> To: kpcyrd <kpcyrd@...hlinux.org>, Thomas Weißschuh <linux@...ssschuh.net> Cc: Masahiro Yamada <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Arnd Bergmann <arnd@...db.de>, Luis Chamberlain <mcgrof@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>, Sami Tolvanen <samitolvanen@...gle.com>, Daniel Gomez <da.gomez@...sung.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Jonathan Corbet <corbet@....net>, Madhavan Srinivasan <maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>, Christophe Leroy <christophe.leroy@...roup.eu>, Naveen N Rao <naveen@...nel.org>, Mimi Zohar <zohar@...ux.ibm.com>, Roberto Sassu <roberto.sassu@...wei.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Eric Snowberg <eric.snowberg@...cle.com>, Nicolas Schier <nicolas.schier@...ux.dev>, Fabian Grünbichler <f.gruenbichler@...xmox.com>, Arnout Engelen <arnout@...t.net>, Mattia Rizzolo <mattia@...reri.org>, Christian Heusel <christian@...sel.eu>, Câju Mihai-Drosi <mcaju95@...il.com>, linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org, linux-modules@...r.kernel.org, linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org, linux-integrity@...r.kernel.org Subject: Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking On Sat, 2025-05-03 at 01:43 +0200, kpcyrd wrote: > On 5/2/25 3:30 PM, James Bottomley wrote: [...] > > Or you simply ship tools to remove the signature; > > > > sbattach --remove <signed efi variable> > > > > already does this for you ... > > It reads like you assume somebody sits down and explicitly looks at > the linux package manually, but the reproducible builds tooling > considers the package content to be fully opaque and doesn't have any > special-casing of any package: > > https://github.com/archlinux/archlinux-repro > https://salsa.debian.org/debian/devscripts/-/blob/main/scripts/debrebuild.pl?ref_type=heads How something is packaged for consumers and what the outputs of a build are are two entirely different things. But if you control packaging, you could actually strip the signatures and place them in an unchecked section as long as you make sure to combine them on installation. > I'd rather not deal with the consequences of weakening the comparison > and possibly introducing exploitable loop-holes in any of the layers > we wouldn't be able to bit-for-bit compare anymore (like e.g. tar). To repeat the point: what everyone would like to do to make life easy is a bit different from what has to be done in the modern era of build provenance requirements. > It would also break the concept of `f(source) -> binary`, "you can > deterministically derive the binary packages from the documented > build inputs", and instead you'd always need to fuzzy-match against > what somebody else built. I think you'll find f -> strip signature ° build Works in the above equation. The point being it's deterministic, not fuzzy. Regards, James
Powered by blists - more mailing lists