Looking for feedback on CONFIG_MODULE_HASHES for Linux

Bernhard M. Wiedemann bernhardout at lsmod.de
Sun Nov 23 05:37:14 UTC 2025 


On 13/11/2025 21.10, Thomas Weißschuh via rb-general wrote:
> Hi everyone,
> 
> I am the author of the CONFIG_MODULE_HASHES patchset [0] for the Linux kernel
> which aims to enable reproducible kernel packages for Linux distributions.
> My goal is to reignite development and continue with the upstream process.
> To have a better base to argue with I'd like to get some confirmation that
> distributions have looked at the patches and do intent to adapt this scheme when
> it is available in the mainline kernel. That should help me get some leverage
> with the upstream maintainers.
> 
> The current form of the patches can be found at [1], they are only slightly
> adapted from the previous submission to LKML. Remaining open topics before the
> next submission are proper IMA support and stripping of modules.
> Future changes may introduce more hash algorithms and performance improvements,
> but these should not be relvant for now.
> 
> So if you are packaging Linux for your distribution, have looked at my patches
> and are eager to use them, please let me know. My plan is to talk with the
> upstream maintainers at the upcoming Linux Plumbers Conference on 11th of December.

> 
> [0] https://lore.kernel.org/lkml/20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net/
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/thomas.weissschuh/linux.git/log/?h=b4/module-hashes


I'm forwarding this to our kernel list for extra feedback.
I did not look at your patch sources.

AFAIK, we don't use a random ephemeral signing key, so our kernel 
binaries are theoretically reproducible... but then we do external 
signing for kernel and all individual .ko files in OBS. So IMHO, we 
would appreciate not having to sign 5289 individual kernel modules.

Ciao
Bernhard M.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20251123/2e1d8946/attachment.sig>

More information about the rb-general mailing list