[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e619a81c6e72f5e22fe0f8b267574036d7b7e43c.camel@HansenPartnership.com>
Date: Tue, 06 May 2025 09:21:48 -0400
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: kpcyrd <kpcyrd@...hlinux.org>, Thomas Weißschuh
<linux@...ssschuh.net>
Cc: Masahiro Yamada <masahiroy@...nel.org>, Nathan Chancellor
<nathan@...nel.org>, Arnd Bergmann <arnd@...db.de>, Luis Chamberlain
<mcgrof@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>, Sami Tolvanen
<samitolvanen@...gle.com>, Daniel Gomez <da.gomez@...sung.com>, Paul Moore
<paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn"
<serge@...lyn.com>, Jonathan Corbet <corbet@....net>, Madhavan Srinivasan
<maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>, Nicholas
Piggin <npiggin@...il.com>, Christophe Leroy <christophe.leroy@...roup.eu>,
Naveen N Rao <naveen@...nel.org>, Mimi Zohar <zohar@...ux.ibm.com>, Roberto
Sassu <roberto.sassu@...wei.com>, Dmitry Kasatkin
<dmitry.kasatkin@...il.com>, Eric Snowberg <eric.snowberg@...cle.com>,
Nicolas Schier <nicolas.schier@...ux.dev>, Fabian
Grünbichler <f.gruenbichler@...xmox.com>, Arnout Engelen
<arnout@...t.net>, Mattia Rizzolo <mattia@...reri.org>, Christian Heusel
<christian@...sel.eu>, Câju Mihai-Drosi
<mcaju95@...il.com>, linux-kbuild@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
linux-modules@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-doc@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
linux-integrity@...r.kernel.org
Subject: Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking
On Sat, 2025-05-03 at 01:43 +0200, kpcyrd wrote:
> On 5/2/25 3:30 PM, James Bottomley wrote:
[...]
> > Or you simply ship tools to remove the signature;
> >
> > sbattach --remove <signed efi variable>
> >
> > already does this for you ...
>
> It reads like you assume somebody sits down and explicitly looks at
> the linux package manually, but the reproducible builds tooling
> considers the package content to be fully opaque and doesn't have any
> special-casing of any package:
>
> https://github.com/archlinux/archlinux-repro
> https://salsa.debian.org/debian/devscripts/-/blob/main/scripts/debrebuild.pl?ref_type=heads
How something is packaged for consumers and what the outputs of a build
are are two entirely different things. But if you control packaging,
you could actually strip the signatures and place them in an unchecked
section as long as you make sure to combine them on installation.
> I'd rather not deal with the consequences of weakening the comparison
> and possibly introducing exploitable loop-holes in any of the layers
> we wouldn't be able to bit-for-bit compare anymore (like e.g. tar).
To repeat the point: what everyone would like to do to make life easy
is a bit different from what has to be done in the modern era of build
provenance requirements.
> It would also break the concept of `f(source) -> binary`, "you can
> deterministically derive the binary packages from the documented
> build inputs", and instead you'd always need to fuzzy-match against
> what somebody else built.
I think you'll find
f -> strip signature ° build
Works in the above equation. The point being it's deterministic, not
fuzzy.
Regards,
James
Powered by blists - more mailing lists