The current signature-based module integrity checking has some drawbacks in combination with reproducible builds. Either the module signing key is generated at build time, which makes the build unreproducible, or a static signing key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated.
The goal is to reach bit-for-bit reproducibility. Excluding certain parts of the build output from the reproducibility analysis would be error-prone and force each downstream consumer to introduce new tooling. Introduce a new mechanism to ensure only well-known modules are loaded by embedding a merkle tree root of all modules built as part of the full kernel build into vmlinux. Interest has been proclaimed by NixOS, Arch Linux, Proxmox, SUSE and the general reproducible builds community. Compatibility with IMA modsig is not provided yet. It is still unclear to me if it should be hooked up transparently without any changes to the policy or it should require new policy options. Further improvements: * Use MODULE_SIG_HASH for configuration * UAPI for discovery? Signed-off-by: Thomas Weißschuh <[email protected]> --- Changes in v4: - Use as Merkle tree over a linera list of hashes. - Provide compatibilith with INSTALL_MOD_STRIP - Rework commit messages. - Use vmlinux.unstripped over plain "vmlinux". - Link to v3: https://lore.kernel.org/r/[email protected] Changes in v3: - Rebase on v6.15-rc1 - Use openssl to calculate hash - Avoid warning if no modules are built - Simplify module_integrity_check() a bit - Make incompatibility with INSTALL_MOD_STRIP explicit - Update docs - Add IMA cleanups - Link to v2: https://lore.kernel.org/r/[email protected] Changes in v2: - Drop RFC state - Mention interested parties in cover letter - Expand Kconfig description - Add compatibility with CONFIG_MODULE_SIG - Parallelize module-hashes.sh - Update Documentation/kbuild/reproducible-builds.rst - Link to v1: https://lore.kernel.org/r/[email protected] --- Coiby Xu (1): module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y Thomas Weißschuh (16): powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG module: Make mod_verify_sig() static module: Switch load_info::len to size_t kbuild: add stamp file for vmlinux BTF data kbuild: generate module BTF based on vmlinux.unstripped module: Deduplicate signature extraction module: Make module loading policy usable without MODULE_SIG module: Move integrity checks into dedicated function module: Move lockdown check into generic module loader module: Move signature splitting up module: Report signature type to users lockdown: Make the relationship to MODULE_SIG a dependency module: Introduce hash-based integrity checking kbuild: move handling of module stripping to Makefile.lib kbuild: make CONFIG_MODULE_HASHES compatible with module stripping .gitignore | 2 + Documentation/kbuild/reproducible-builds.rst | 5 +- Makefile | 8 +- arch/powerpc/kernel/ima_arch.c | 3 +- include/asm-generic/vmlinux.lds.h | 11 + include/linux/module.h | 20 +- include/linux/module_hashes.h | 25 ++ include/linux/module_signature.h | 5 +- kernel/module/Kconfig | 29 +- kernel/module/Makefile | 1 + kernel/module/hashes.c | 92 ++++++ kernel/module/hashes_root.c | 6 + kernel/module/internal.h | 13 +- kernel/module/main.c | 68 +++- kernel/module/signing.c | 83 +---- kernel/module_signature.c | 49 ++- scripts/.gitignore | 1 + scripts/Makefile | 3 + scripts/Makefile.lib | 32 ++ scripts/Makefile.modfinal | 28 +- scripts/Makefile.modinst | 46 +-- scripts/Makefile.vmlinux | 6 + scripts/link-vmlinux.sh | 20 +- scripts/modules-merkle-tree.c | 467 +++++++++++++++++++++++++++ security/integrity/ima/ima_efi.c | 6 +- security/integrity/ima/ima_modsig.c | 28 +- security/lockdown/Kconfig | 2 +- 27 files changed, 884 insertions(+), 175 deletions(-) --- base-commit: 8f0b4cce4481fb22653697cced8d0d04027cb1e8 change-id: 20241225-module-hashes-7a50a7cc2a30 Best regards, -- Thomas Weißschuh <[email protected]>
