CONFIG_MODULE_SIG and the unreproducible Linux Kernel
James Addison
jay at jp-hosting.net
Sat Oct 5 14:42:32 UTC 2024
On Sun, 15 Sept 2024 at 03:47, kpcyrd <kpcyrd at archlinux.org> wrote:
> [ ... snip ... ]
> Modules that are part of the kernel package build could be included in
> the embedded hashset (not needing a signature), but a package with
> additional kernel modules would need access to the distro-controlled
> signing key (and therefore not be reproducible).
>
> Hopefully it would be possible to build computers without these
> packages, allowing for systems built with reproducible-only binaries.
Adding a design-related consideration for this, based on learning
about dm-verity LoadPin and a relatively recent patch[1] applied to
that functionality:
It'd probably be worth specifying whether the embedded hashset would
be derived from either the uncompressed or the compressed
representation of the relevant kernel module files.
(I'd probably lean towards suggesting hashing the uncompressed file
contents, based on my understanding that this is a tight coupling
between a kernel build and its module files anyway -- but I haven't
yet gotten around to confirming whether module decompression (if
configured) always happens in-kernel, for example, and that could be a
further consideration)
[1] - https://lore.kernel.org/lkml/20240514224839.2526112-1-swboyd@chromium.org/
More information about the rb-general
mailing list