CONFIG_MODULE_SIG and the unreproducible Linux Kernel
James Addison
jay at jp-hosting.net
Sat Oct 5 14:04:50 UTC 2024
On Thu, 26 Sept 2024 at 09:19, Evangelos Ribeiro Tzaras
<devrtz at fortysixandtwo.eu> wrote:
>
> Hi,
>
> just came across a relevant talk at All Systems Go,
> that I wanted to share:
>
> https://media.ccc.de/v/all-systems-go-2024-296-reproducible-builds-at-sidero-labs-tools-and-techniques
>
>
> --
> Cheers,
>
> Evangelos
> PGP: B938 6554 B7DD 266B CB8E 29A9 90F0 C9B1 8A6B 4A19
Thanks! The Q&A after the talk briefly includes a mention of the
dm-verity LoadPin functionality in Linux.
Following that through to the documentation: I wonder whether it would
be possible to use the Linux kernel's Integrity Policy Enforcement[1]
to deploy a policy that would prevent loading of anything except a set
of expected kernel modules.
(currently I think it would -- and that that might allow dropping
signing of the in-tree modules. but I don't yet notice a way to write
a policy that would allow in-tree modules (that we could
sha256/similar at build-time and reference in the policy by hash)
while also allowing loading of signed out-of-tree modules that a
distro might choose to distribute against a public key included in the
kernel build)
This message is partly anticipating potential kernel development
pushback of: well, this feature might be possible, but have you
considered the existing IPE functionality?
[1] - https://docs.kernel.org/admin-guide/LSM/ipe.html
More information about the rb-general
mailing list