CONFIG_MODULE_SIG and the unreproducible Linux Kernel
kpcyrd
kpcyrd at archlinux.org
Sun Dec 29 13:25:03 UTC 2024
On 9/14/24 5:30 PM, kpcyrd wrote:
> My personal favorite implementation of that feature would be a hashset
> of allowed module hashes that is generated during the kernel build and
> then embedded in the kernel image. This approach is authority-less[1],
> can be implemented in a reproducible way, doesn't require access to any
> secrets for building and makes it easy to reason about the set of
> modules the computer will/won't load. As far as I know it's currently
> not possible to configure the Linux build like this, so consider this a
> feature request.
Hello,
somebody implemented the hash-based allow list feature and submitted it
to the Linux kernel mailing list:
https://lore.kernel.org/lkml/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net/
This made me very happy, I hope it gets merged.
cheers,
kpcyrd
More information about the rb-general
mailing list