Looking for feedback on CONFIG_MODULE_HASHES for Linux

Takashi Iwai tiwai at suse.de
Sun Nov 23 09:26:03 UTC 2025 

On Sun, 23 Nov 2025 06:37:14 +0100,
Bernhard M. Wiedemann wrote:
> 
> 
> 
> On 13/11/2025 21.10, Thomas Weißschuh via rb-general wrote:
> > Hi everyone,
> > 
> > I am the author of the CONFIG_MODULE_HASHES patchset [0] for the Linux kernel
> > which aims to enable reproducible kernel packages for Linux distributions.
> > My goal is to reignite development and continue with the upstream process.
> > To have a better base to argue with I'd like to get some confirmation that
> > distributions have looked at the patches and do intent to adapt this scheme when
> > it is available in the mainline kernel. That should help me get some leverage
> > with the upstream maintainers.
> > 
> > The current form of the patches can be found at [1], they are only slightly
> > adapted from the previous submission to LKML. Remaining open topics before the
> > next submission are proper IMA support and stripping of modules.
> > Future changes may introduce more hash algorithms and performance improvements,
> > but these should not be relvant for now.
> > 
> > So if you are packaging Linux for your distribution, have looked at my patches
> > and are eager to use them, please let me know. My plan is to talk with the
> > upstream maintainers at the upcoming Linux Plumbers Conference on 11th of December.
> 
> > 
> > [0] https://lore.kernel.org/lkml/20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net/
> > [1] https://git.kernel.org/pub/scm/linux/kernel/git/thomas.weissschuh/linux.git/log/?h=b4/module-hashes
> 
> 
> I'm forwarding this to our kernel list for extra feedback.
> I did not look at your patch sources.
> 
> AFAIK, we don't use a random ephemeral signing key, so our kernel
> binaries are theoretically reproducible... but then we do external
> signing for kernel and all individual .ko files in OBS. So IMHO, we
> would appreciate not having to sign 5289 individual kernel modules.

Through a quick glance without much details, the idea and the code
changes look like a nice optimization.  It may allow us dropping the
second stage to sign modules completely.  Though, my wild guess is
that the actual improvement in the case of openSUSE / SUSE would be
marginal, but I may be wrong and this has to be measured with the test
builds.

I suppose the module signing and check are still available in
addition, right?


thanks,

Takashi

More information about the rb-general mailing list