On Aug 2, 2016 12:14 PM, "Ard Biesheuvel" wrote: > > On 2 August 2016 at 21:08, Andy Lutomirski wrote: > > On Tue, Aug 2, 2016 at 12:02 PM, Ard Biesheuvel > > wrote: > >> On 2 August 2016 at 20:55, Andy Lutomirski wrote: > >>> On a related topic: last year or so, I argued that > >>> CONFIG_MODULE_SIG_ALL and, more generally, the idea that in-tree > >>> modules should be signed, is a suboptimal design. Instead, I think > >>> that the kernel shoud just learn to recognize its in-tree modules by > >>> hash. This would allow reproducible builds, get rid of the > >>> autogenerated key, and would allow distros that don't support binary > >>> modules to avoid needing the asymmetric key infrastructure at all (for > >>> modules, anyway -- firmware is a different story. But a firmware > >>> signing key doesn't interfere with the kernel build process the way > >>> that an in-tree module signing key does.) > >>> > >>> On the theory that code speaks louder than vitriol, I decided to try > >>> to implement it. The actual code is trivial (I expect under 50 lines > >>> *total* for the compile-time and run-time parts together), but > >>> convincing make to build the thing is a real pain in the arse. > >>> > >>> So expect code from me before KS unless I really get stuck fighting > >>> kbuild. And, unless anyone objects, I intend to propose that we > >>> delete CONFIG_MODULE_SIG_ALL entirely once this thing works. > >>> > >> > >> This is exactly what I implemented for TomTom years ago, and the only > >> issues I remember from the top of my head were: > >> - build order: vmlinux needs to be built after the modules, but > >> currently, building the modules requires vmlinux to be built already > > > > I am, literally right now, fighting kbuild to make this happen. I > > think I got it mostly working. > > > >> - debug symbols: modules are stripped when installing them, and taking > >> the hash needs to be done afterwards > > > > I don't know whether this is cleanly fixable directly. We could add a > > way for distros to hook the build process so that they can insert the > > strip operation in the right place. We could also have > > CONFIG_STRIP_MODULES that automatically splits the debug info out from > > the modules. > > > >> > >> Then,c-ize a build time sorted list of hashes, and do a binary search > >> at verification time. > > > > Would you believe I'm implementing exactly that algorithm? :) > > > > Been there, done that :-) Do you have code you can share? I'm always in favor of doing less work!