From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 9E2C8724 for ; Tue, 2 Aug 2016 20:22:34 +0000 (UTC) Received: from mail-it0-f43.google.com (mail-it0-f43.google.com [209.85.214.43]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E7D4D2B7 for ; Tue, 2 Aug 2016 20:22:33 +0000 (UTC) Received: by mail-it0-f43.google.com with SMTP id f6so212183472ith.0 for ; Tue, 02 Aug 2016 13:22:33 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <1469631987.27356.48.camel@HansenPartnership.com> <20150804152622.GY30479@wotan.suse.de> <1468612258.5335.0.camel@linux.vnet.ibm.com> <1468612671.5335.5.camel@linux.vnet.ibm.com> <20160716005213.GL30372@sirena.org.uk> <1469544138.120686.327.camel@infradead.org> <14209.1469636040@warthog.procyon.org.uk> <1469636881.27356.70.camel@HansenPartnership.com> <1469637367.27356.73.camel@HansenPartnership.com> <1469648220.23563.15.camel@linux.vnet.ibm.com> From: Ard Biesheuvel Date: Tue, 2 Aug 2016 22:22:32 +0200 Message-ID: To: Andy Lutomirski Content-Type: text/plain; charset=UTF-8 Cc: James Bottomley , Mark Brown , "ksummit-discuss@lists.linuxfoundation.org" Subject: Re: [Ksummit-discuss] Last minute nominations: mcgrof and toshi List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On 2 August 2016 at 21:20, Ard Biesheuvel wrote: > On 2 August 2016 at 21:17, Andy Lutomirski wrote: >> On Aug 2, 2016 12:14 PM, "Ard Biesheuvel" wrote: >>> >>> On 2 August 2016 at 21:08, Andy Lutomirski wrote: >>> > On Tue, Aug 2, 2016 at 12:02 PM, Ard Biesheuvel >>> > wrote: >>> >> On 2 August 2016 at 20:55, Andy Lutomirski wrote: >>> >>> On a related topic: last year or so, I argued that >>> >>> CONFIG_MODULE_SIG_ALL and, more generally, the idea that in-tree >>> >>> modules should be signed, is a suboptimal design. Instead, I think >>> >>> that the kernel shoud just learn to recognize its in-tree modules by >>> >>> hash. This would allow reproducible builds, get rid of the >>> >>> autogenerated key, and would allow distros that don't support binary >>> >>> modules to avoid needing the asymmetric key infrastructure at all (for >>> >>> modules, anyway -- firmware is a different story. But a firmware >>> >>> signing key doesn't interfere with the kernel build process the way >>> >>> that an in-tree module signing key does.) >>> >>> >>> >>> On the theory that code speaks louder than vitriol, I decided to try >>> >>> to implement it. The actual code is trivial (I expect under 50 lines >>> >>> *total* for the compile-time and run-time parts together), but >>> >>> convincing make to build the thing is a real pain in the arse. >>> >>> >>> >>> So expect code from me before KS unless I really get stuck fighting >>> >>> kbuild. And, unless anyone objects, I intend to propose that we >>> >>> delete CONFIG_MODULE_SIG_ALL entirely once this thing works. >>> >>> >>> >> >>> >> This is exactly what I implemented for TomTom years ago, and the only >>> >> issues I remember from the top of my head were: >>> >> - build order: vmlinux needs to be built after the modules, but >>> >> currently, building the modules requires vmlinux to be built already >>> > >>> > I am, literally right now, fighting kbuild to make this happen. I >>> > think I got it mostly working. >>> > >>> >> - debug symbols: modules are stripped when installing them, and taking >>> >> the hash needs to be done afterwards >>> > >>> > I don't know whether this is cleanly fixable directly. We could add a >>> > way for distros to hook the build process so that they can insert the >>> > strip operation in the right place. We could also have >>> > CONFIG_STRIP_MODULES that automatically splits the debug info out from >>> > the modules. >>> > >>> >> >>> >> Then,c-ize a build time sorted list of hashes, and do a binary search >>> >> at verification time. >>> > >>> > Would you believe I'm implementing exactly that algorithm? :) >>> > >>> >>> Been there, done that :-) >> >> Do you have code you can share? I'm always in favor of doing less work! > > It should be in here somewhere > http://www.tomtom.com/gpl/arm11/linux-kernel-2.6.28-tt855479.tar.gz > > I'm currently on a crappy connection, and I don't have access anymore > to the git repo, unfortunately. > I can dig it up tomorrow if you don't beat me to it Actually, I did find a patch against some 2.6.x kernel that contains the module hashing, plus some other security stuff I did for tomtom. Look for CONFIG_MODULE_HASHES in http://people.linaro.org/~ard.biesheuvel/irvine.diff -- Ard.