From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Mark Brown <broonie@sirena.org.uk>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] Last minute nominations: mcgrof and toshi
Date: Tue, 2 Aug 2016 22:22:32 +0200 [thread overview]
Message-ID: <CAKv+Gu-goNhvx0+O999CKUE5rs3kmtFRurwW06TSoGcsub5xvA@mail.gmail.com> (raw)
In-Reply-To: <CAKv+Gu8hzTRNVy5-8pzRVhNAuBo9f+kNM=NAqFsMf6wmhM2ifA@mail.gmail.com>
On 2 August 2016 at 21:20, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> On 2 August 2016 at 21:17, Andy Lutomirski <luto@amacapital.net> wrote:
>> On Aug 2, 2016 12:14 PM, "Ard Biesheuvel" <ard.biesheuvel@linaro.org> wrote:
>>>
>>> On 2 August 2016 at 21:08, Andy Lutomirski <luto@amacapital.net> wrote:
>>> > On Tue, Aug 2, 2016 at 12:02 PM, Ard Biesheuvel
>>> > <ard.biesheuvel@linaro.org> wrote:
>>> >> On 2 August 2016 at 20:55, Andy Lutomirski <luto@amacapital.net> wrote:
>>> >>> On a related topic: last year or so, I argued that
>>> >>> CONFIG_MODULE_SIG_ALL and, more generally, the idea that in-tree
>>> >>> modules should be signed, is a suboptimal design. Instead, I think
>>> >>> that the kernel shoud just learn to recognize its in-tree modules by
>>> >>> hash. This would allow reproducible builds, get rid of the
>>> >>> autogenerated key, and would allow distros that don't support binary
>>> >>> modules to avoid needing the asymmetric key infrastructure at all (for
>>> >>> modules, anyway -- firmware is a different story. But a firmware
>>> >>> signing key doesn't interfere with the kernel build process the way
>>> >>> that an in-tree module signing key does.)
>>> >>>
>>> >>> On the theory that code speaks louder than vitriol, I decided to try
>>> >>> to implement it. The actual code is trivial (I expect under 50 lines
>>> >>> *total* for the compile-time and run-time parts together), but
>>> >>> convincing make to build the thing is a real pain in the arse.
>>> >>>
>>> >>> So expect code from me before KS unless I really get stuck fighting
>>> >>> kbuild. And, unless anyone objects, I intend to propose that we
>>> >>> delete CONFIG_MODULE_SIG_ALL entirely once this thing works.
>>> >>>
>>> >>
>>> >> This is exactly what I implemented for TomTom years ago, and the only
>>> >> issues I remember from the top of my head were:
>>> >> - build order: vmlinux needs to be built after the modules, but
>>> >> currently, building the modules requires vmlinux to be built already
>>> >
>>> > I am, literally right now, fighting kbuild to make this happen. I
>>> > think I got it mostly working.
>>> >
>>> >> - debug symbols: modules are stripped when installing them, and taking
>>> >> the hash needs to be done afterwards
>>> >
>>> > I don't know whether this is cleanly fixable directly. We could add a
>>> > way for distros to hook the build process so that they can insert the
>>> > strip operation in the right place. We could also have
>>> > CONFIG_STRIP_MODULES that automatically splits the debug info out from
>>> > the modules.
>>> >
>>> >>
>>> >> Then,c-ize a build time sorted list of hashes, and do a binary search
>>> >> at verification time.
>>> >
>>> > Would you believe I'm implementing exactly that algorithm? :)
>>> >
>>>
>>> Been there, done that :-)
>>
>> Do you have code you can share? I'm always in favor of doing less work!
>
> It should be in here somewhere
> http://www.tomtom.com/gpl/arm11/linux-kernel-2.6.28-tt855479.tar.gz
>
> I'm currently on a crappy connection, and I don't have access anymore
> to the git repo, unfortunately.
> I can dig it up tomorrow if you don't beat me to it
Actually, I did find a patch against some 2.6.x kernel that contains
the module hashing, plus some other security stuff I did for tomtom.
Look for CONFIG_MODULE_HASHES in
http://people.linaro.org/~ard.biesheuvel/irvine.diff
--
Ard.
next prev parent reply other threads:[~2016-08-02 20:22 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-04 15:26 Luis R. Rodriguez
2015-08-04 22:20 ` Toshi Kani
2016-07-15 19:50 ` Mimi Zohar
2016-07-15 19:57 ` Mimi Zohar
2016-07-16 0:52 ` Mark Brown
2016-07-26 14:42 ` David Woodhouse
2016-07-27 14:04 ` [Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: " Jason Cooper
2016-07-27 14:58 ` Mark Rutland
2016-07-27 18:17 ` Stephen Hemminger
2016-07-27 18:36 ` Andy Lutomirski
2016-07-29 12:29 ` Ben Hutchings
2016-08-05 17:16 ` Mimi Zohar
2016-08-05 18:24 ` Ben Hutchings
2016-08-02 12:54 ` Linus Walleij
2016-08-02 14:00 ` Jason Cooper
2016-08-02 14:09 ` David Woodhouse
[not found] ` <CALCETrUjn7TeGbS4TQ+OFih-nby2Rh54i5177MOwqjTYDBMO=A@mail.gmail.com>
[not found] ` <CALCETrU6aQ5PR_+M7QHkTWos6i6vVS2nvEQDwr5ktBkWu-5MKw@mail.gmail.com>
[not found] ` <CALCETrW8uRK4cuQ+B6NPcO0pY-=-HRDf4LZk4xv2QdPzNEvMCg@mail.gmail.com>
[not found] ` <CALCETrW_mQLmR6g_Ar8Nnpr7CRFZhth=Hj9C901Gj7_WSp=yEQ@mail.gmail.com>
2016-08-02 14:53 ` Andy Lutomirski
2016-08-02 14:13 ` James Bottomley
2016-08-03 9:47 ` Linus Walleij
2016-08-03 10:00 ` Jiri Kosina
2016-08-03 10:28 ` Jani Nikula
2016-08-03 10:41 ` Linus Walleij
2016-08-03 11:18 ` Jani Nikula
2016-08-03 15:19 ` Jason Cooper
2016-08-12 12:38 ` Vinod Koul
2016-08-12 12:39 ` David Woodhouse
2016-08-12 12:54 ` Andy Lutomirski
2016-08-12 13:00 ` David Woodhouse
2016-08-12 13:12 ` Vinod Koul
2016-07-27 14:08 ` David Howells
2016-07-27 14:10 ` Ard Biesheuvel
2016-07-27 14:23 ` Mark Brown
2016-07-27 15:06 ` [Ksummit-discuss] " James Bottomley
2016-08-01 10:22 ` Johannes Berg
2016-07-27 15:37 ` David Howells
2016-07-27 16:14 ` James Bottomley
2016-07-27 17:57 ` Andy Lutomirski
2016-07-27 19:00 ` James Bottomley
2016-07-27 19:20 ` Andy Lutomirski
2016-07-27 19:50 ` James Bottomley
2016-07-27 16:07 ` David Howells
2016-07-27 16:25 ` James Bottomley
2016-07-27 16:10 ` David Howells
2016-07-27 16:14 ` David Howells
2016-07-27 16:28 ` James Bottomley
2016-07-27 16:36 ` James Bottomley
2016-07-27 17:20 ` Luis R. Rodriguez
2016-07-27 17:51 ` James Bottomley
2016-07-27 18:57 ` Luis R. Rodriguez
2016-07-27 19:37 ` Mimi Zohar
2016-07-27 20:09 ` Andy Lutomirski
2016-07-27 22:54 ` Mimi Zohar
2016-07-27 23:15 ` Andy Lutomirski
2016-07-28 3:17 ` Mimi Zohar
2016-07-28 3:29 ` Andy Lutomirski
2016-07-28 16:57 ` Jason Cooper
2016-07-29 22:10 ` Mimi Zohar
2016-07-29 22:25 ` Andy Lutomirski
2016-07-30 16:36 ` Luis R. Rodriguez
2016-07-31 3:08 ` Mimi Zohar
2016-07-31 3:09 ` Andy Lutomirski
2016-07-31 15:31 ` Mimi Zohar
2016-07-31 16:19 ` Andy Lutomirski
2016-07-31 17:28 ` Mimi Zohar
2016-07-31 18:20 ` Andy Lutomirski
2016-08-01 1:52 ` Mimi Zohar
2016-08-01 17:29 ` Luis R. Rodriguez
2016-08-01 17:59 ` Andy Lutomirski
2016-08-01 20:23 ` Luis R. Rodriguez
2016-08-01 20:37 ` Andy Lutomirski
2016-08-01 20:57 ` Luis R. Rodriguez
2016-08-01 21:14 ` Andy Lutomirski
2016-08-01 22:56 ` Jason Cooper
2016-08-01 23:12 ` Andy Lutomirski
2016-08-02 0:33 ` James Bottomley
[not found] ` <CALCETrXHfUULy-EB13Kbkjwco-2UVgsuRsG+OicZT6_uOkzeqA@mail.gmail.com>
[not found] ` <CALCETrWqpQV1AyxVx5eTkJiOe3t7ZFpSAuN2RG3JNHD-gqm0uA@mail.gmail.com>
2016-08-02 0:48 ` Andy Lutomirski
2016-08-02 1:13 ` James Bottomley
2016-08-02 1:23 ` Andy Lutomirski
2016-08-02 18:12 ` James Bottomley
2016-08-01 22:21 ` Mimi Zohar
2016-08-01 22:36 ` Andy Lutomirski
2016-08-01 23:02 ` Mimi Zohar
2016-08-01 23:04 ` Jason Cooper
2016-08-01 23:13 ` Andy Lutomirski
2016-08-01 23:30 ` Jason Cooper
[not found] ` <CALCETrWDsMdU2-AWQC4wYvotnNd2ydWT15Ckq0nZaNRJZOtZ-g@mail.gmail.com>
[not found] ` <CALCETrW-P8+yGuEgM2BT+aCfZqJ=ekB2Xsz+4xhWtdRpprJHNw@mail.gmail.com>
2016-08-01 23:45 ` Andy Lutomirski
2016-08-02 12:20 ` Jason Cooper
[not found] ` <CALCETrVEY=opRPGKy=P9h8s+TC_K19WnBJ2svXT+=_FnqRF1Mw@mail.gmail.com>
[not found] ` <CALCETrVZtn_SmeN1YX9_+2g+bEAHsfJJ7KQH7-eC_mU3O+0x2w@mail.gmail.com>
2016-08-02 15:07 ` Andy Lutomirski
2016-08-03 16:44 ` Jason Cooper
2016-08-03 17:20 ` Andy Lutomirski
2016-08-03 17:50 ` Jason Cooper
2016-08-01 17:15 ` Luis R. Rodriguez
2016-08-02 18:55 ` Andy Lutomirski
2016-08-02 19:02 ` Ard Biesheuvel
2016-08-02 19:08 ` Andy Lutomirski
2016-08-02 19:14 ` Ard Biesheuvel
2016-08-02 19:17 ` Andy Lutomirski
2016-08-02 19:20 ` Ard Biesheuvel
2016-08-02 20:22 ` Ard Biesheuvel [this message]
2016-07-29 12:43 ` Ben Hutchings
2016-07-29 17:57 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKv+Gu-goNhvx0+O999CKUE5rs3kmtFRurwW06TSoGcsub5xvA@mail.gmail.com \
--to=ard.biesheuvel@linaro.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=broonie@sirena.org.uk \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=luto@amacapital.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox