From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 3FFF87AA for ; Tue, 2 Aug 2016 19:08:38 +0000 (UTC) Received: from mail-ua0-f172.google.com (mail-ua0-f172.google.com [209.85.217.172]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A6E55290 for ; Tue, 2 Aug 2016 19:08:37 +0000 (UTC) Received: by mail-ua0-f172.google.com with SMTP id k90so136338047uak.0 for ; Tue, 02 Aug 2016 12:08:37 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <1469631987.27356.48.camel@HansenPartnership.com> <20150804152622.GY30479@wotan.suse.de> <1468612258.5335.0.camel@linux.vnet.ibm.com> <1468612671.5335.5.camel@linux.vnet.ibm.com> <20160716005213.GL30372@sirena.org.uk> <1469544138.120686.327.camel@infradead.org> <14209.1469636040@warthog.procyon.org.uk> <1469636881.27356.70.camel@HansenPartnership.com> <1469637367.27356.73.camel@HansenPartnership.com> <1469648220.23563.15.camel@linux.vnet.ibm.com> From: Andy Lutomirski Date: Tue, 2 Aug 2016 12:08:16 -0700 Message-ID: To: Ard Biesheuvel Content-Type: text/plain; charset=UTF-8 Cc: James Bottomley , Mark Brown , "ksummit-discuss@lists.linuxfoundation.org" Subject: Re: [Ksummit-discuss] Last minute nominations: mcgrof and toshi List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Tue, Aug 2, 2016 at 12:02 PM, Ard Biesheuvel wrote: > On 2 August 2016 at 20:55, Andy Lutomirski wrote: >> On a related topic: last year or so, I argued that >> CONFIG_MODULE_SIG_ALL and, more generally, the idea that in-tree >> modules should be signed, is a suboptimal design. Instead, I think >> that the kernel shoud just learn to recognize its in-tree modules by >> hash. This would allow reproducible builds, get rid of the >> autogenerated key, and would allow distros that don't support binary >> modules to avoid needing the asymmetric key infrastructure at all (for >> modules, anyway -- firmware is a different story. But a firmware >> signing key doesn't interfere with the kernel build process the way >> that an in-tree module signing key does.) >> >> On the theory that code speaks louder than vitriol, I decided to try >> to implement it. The actual code is trivial (I expect under 50 lines >> *total* for the compile-time and run-time parts together), but >> convincing make to build the thing is a real pain in the arse. >> >> So expect code from me before KS unless I really get stuck fighting >> kbuild. And, unless anyone objects, I intend to propose that we >> delete CONFIG_MODULE_SIG_ALL entirely once this thing works. >> > > This is exactly what I implemented for TomTom years ago, and the only > issues I remember from the top of my head were: > - build order: vmlinux needs to be built after the modules, but > currently, building the modules requires vmlinux to be built already I am, literally right now, fighting kbuild to make this happen. I think I got it mostly working. > - debug symbols: modules are stripped when installing them, and taking > the hash needs to be done afterwards I don't know whether this is cleanly fixable directly. We could add a way for distros to hook the build process so that they can insert the strip operation in the right place. We could also have CONFIG_STRIP_MODULES that automatically splits the debug info out from the modules. > > Then,c-ize a build time sorted list of hashes, and do a binary search > at verification time. Would you believe I'm implementing exactly that algorithm? :) --Andy