lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e619a81c6e72f5e22fe0f8b267574036d7b7e43c.camel@HansenPartnership.com>
Date: Tue, 06 May 2025 09:21:48 -0400
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: kpcyrd <kpcyrd@...hlinux.org>, Thomas Weißschuh
	 <linux@...ssschuh.net>
Cc: Masahiro Yamada <masahiroy@...nel.org>, Nathan Chancellor
 <nathan@...nel.org>, Arnd Bergmann <arnd@...db.de>, Luis Chamberlain
 <mcgrof@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>, Sami Tolvanen
 <samitolvanen@...gle.com>, Daniel Gomez <da.gomez@...sung.com>, Paul Moore
 <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn"
 <serge@...lyn.com>, Jonathan Corbet <corbet@....net>, Madhavan Srinivasan
 <maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>, Nicholas
 Piggin <npiggin@...il.com>, Christophe Leroy <christophe.leroy@...roup.eu>,
 Naveen N Rao <naveen@...nel.org>, Mimi Zohar <zohar@...ux.ibm.com>, Roberto
 Sassu <roberto.sassu@...wei.com>, Dmitry Kasatkin
 <dmitry.kasatkin@...il.com>,  Eric Snowberg <eric.snowberg@...cle.com>,
 Nicolas Schier <nicolas.schier@...ux.dev>, Fabian
 Grünbichler <f.gruenbichler@...xmox.com>, Arnout Engelen
 <arnout@...t.net>, Mattia Rizzolo <mattia@...reri.org>, Christian Heusel
 <christian@...sel.eu>,  Câju Mihai-Drosi
 <mcaju95@...il.com>, linux-kbuild@...r.kernel.org,
 linux-kernel@...r.kernel.org,  linux-arch@...r.kernel.org,
 linux-modules@...r.kernel.org,  linux-security-module@...r.kernel.org,
 linux-doc@...r.kernel.org,  linuxppc-dev@...ts.ozlabs.org,
 linux-integrity@...r.kernel.org
Subject: Re: [PATCH v3 0/9] module: Introduce hash-based integrity checking

On Sat, 2025-05-03 at 01:43 +0200, kpcyrd wrote:
> On 5/2/25 3:30 PM, James Bottomley wrote:
[...]
> > Or you simply ship tools to remove the signature;
> > 
> > sbattach --remove <signed efi variable>
> > 
> > already does this for you ...
> 
> It reads like you assume somebody sits down and explicitly looks at
> the linux package manually, but the reproducible builds tooling
> considers the package content to be fully opaque and doesn't have any
> special-casing of any package:
> 
> https://github.com/archlinux/archlinux-repro
> https://salsa.debian.org/debian/devscripts/-/blob/main/scripts/debrebuild.pl?ref_type=heads

How something is packaged for consumers and what the outputs of a build
are are two entirely different things.  But if you control packaging,
you could actually strip the signatures and place them in an unchecked
section as long as you make sure to combine them on installation.

> I'd rather not deal with the consequences of weakening the comparison
> and possibly introducing exploitable loop-holes in any of the layers
> we wouldn't be able to bit-for-bit compare anymore (like e.g. tar).

To repeat the point: what everyone would like to do to make life easy
is a bit different from what has to be done in the modern era of  build
provenance requirements.

> It would also break the concept of `f(source) -> binary`, "you can 
> deterministically derive the binary packages from the documented
> build inputs", and instead you'd always need to fuzzy-match against
> what somebody else built.

I think you'll find

f -> strip signature ° build

Works in the above equation.  The point being it's deterministic, not
fuzzy.

Regards,

James


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ