From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E70CB93D for ; Tue, 2 Aug 2016 19:17:05 +0000 (UTC) Received: from mail-ua0-f176.google.com (mail-ua0-f176.google.com [209.85.217.176]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 2EB82299 for ; Tue, 2 Aug 2016 19:17:05 +0000 (UTC) Received: by mail-ua0-f176.google.com with SMTP id k90so136504837uak.0 for ; Tue, 02 Aug 2016 12:17:05 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <1469631987.27356.48.camel@HansenPartnership.com> <20150804152622.GY30479@wotan.suse.de> <1468612258.5335.0.camel@linux.vnet.ibm.com> <1468612671.5335.5.camel@linux.vnet.ibm.com> <20160716005213.GL30372@sirena.org.uk> <1469544138.120686.327.camel@infradead.org> <14209.1469636040@warthog.procyon.org.uk> <1469636881.27356.70.camel@HansenPartnership.com> <1469637367.27356.73.camel@HansenPartnership.com> <1469648220.23563.15.camel@linux.vnet.ibm.com> From: Andy Lutomirski Date: Tue, 2 Aug 2016 12:17:02 -0700 Message-ID: To: Ard Biesheuvel Content-Type: multipart/alternative; boundary=94eb2c125290e048ff05391b8fb4 Cc: James Bottomley , Mark Brown , "ksummit-discuss@lists.linuxfoundation.org" Subject: Re: [Ksummit-discuss] Last minute nominations: mcgrof and toshi List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --94eb2c125290e048ff05391b8fb4 Content-Type: text/plain; charset=UTF-8 On Aug 2, 2016 12:14 PM, "Ard Biesheuvel" wrote: > > On 2 August 2016 at 21:08, Andy Lutomirski wrote: > > On Tue, Aug 2, 2016 at 12:02 PM, Ard Biesheuvel > > wrote: > >> On 2 August 2016 at 20:55, Andy Lutomirski wrote: > >>> On a related topic: last year or so, I argued that > >>> CONFIG_MODULE_SIG_ALL and, more generally, the idea that in-tree > >>> modules should be signed, is a suboptimal design. Instead, I think > >>> that the kernel shoud just learn to recognize its in-tree modules by > >>> hash. This would allow reproducible builds, get rid of the > >>> autogenerated key, and would allow distros that don't support binary > >>> modules to avoid needing the asymmetric key infrastructure at all (for > >>> modules, anyway -- firmware is a different story. But a firmware > >>> signing key doesn't interfere with the kernel build process the way > >>> that an in-tree module signing key does.) > >>> > >>> On the theory that code speaks louder than vitriol, I decided to try > >>> to implement it. The actual code is trivial (I expect under 50 lines > >>> *total* for the compile-time and run-time parts together), but > >>> convincing make to build the thing is a real pain in the arse. > >>> > >>> So expect code from me before KS unless I really get stuck fighting > >>> kbuild. And, unless anyone objects, I intend to propose that we > >>> delete CONFIG_MODULE_SIG_ALL entirely once this thing works. > >>> > >> > >> This is exactly what I implemented for TomTom years ago, and the only > >> issues I remember from the top of my head were: > >> - build order: vmlinux needs to be built after the modules, but > >> currently, building the modules requires vmlinux to be built already > > > > I am, literally right now, fighting kbuild to make this happen. I > > think I got it mostly working. > > > >> - debug symbols: modules are stripped when installing them, and taking > >> the hash needs to be done afterwards > > > > I don't know whether this is cleanly fixable directly. We could add a > > way for distros to hook the build process so that they can insert the > > strip operation in the right place. We could also have > > CONFIG_STRIP_MODULES that automatically splits the debug info out from > > the modules. > > > >> > >> Then,c-ize a build time sorted list of hashes, and do a binary search > >> at verification time. > > > > Would you believe I'm implementing exactly that algorithm? :) > > > > Been there, done that :-) Do you have code you can share? I'm always in favor of doing less work! --94eb2c125290e048ff05391b8fb4 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Aug 2, 2016 12:14 PM, "Ard Biesheuvel" <ard.biesheuvel@linaro.org> = wrote:
>
> On 2 August 2016 at 21:08, Andy Lutomirski <luto@amacapital.net> wrote:
> > On Tue, Aug 2, 2016 at 12:02 PM, Ard Biesheuvel
> > <ard.biesheuvel@l= inaro.org> wrote:
> >> On 2 August 2016 at 20:55, Andy Lutomirski <luto@amacapital.net> wrote:
> >>> On a related topic: last year or so, I argued that
> >>> CONFIG_MODULE_SIG_ALL and, more generally, the idea that = in-tree
> >>> modules should be signed, is a suboptimal design.=C2=A0 I= nstead, I think
> >>> that the kernel shoud just learn to recognize its in-tree= modules by
> >>> hash.=C2=A0 This would allow reproducible builds, get rid= of the
> >>> autogenerated key, and would allow distros that don't= support binary
> >>> modules to avoid needing the asymmetric key infrastructur= e at all (for
> >>> modules, anyway -- firmware is a different story.=C2=A0 B= ut a firmware
> >>> signing key doesn't interfere with the kernel build p= rocess the way
> >>> that an in-tree module signing key does.)
> >>>
> >>> On the theory that code speaks louder than vitriol, I dec= ided to try
> >>> to implement it.=C2=A0 The actual code is trivial (I expe= ct under 50 lines
> >>> *total* for the compile-time and run-time parts together)= , but
> >>> convincing make to build the thing is a real pain in the = arse.
> >>>
> >>> So expect code from me before KS unless I really get stuc= k fighting
> >>> kbuild.=C2=A0 And, unless anyone objects, I intend to pro= pose that we
> >>> delete CONFIG_MODULE_SIG_ALL entirely once this thing wor= ks.
> >>>
> >>
> >> This is exactly what I implemented for TomTom years ago, and = the only
> >> issues I remember from the top of my head were:
> >> - build order: vmlinux needs to be built after the modules, b= ut
> >> currently, building the modules requires vmlinux to be built = already
> >
> > I am, literally right now, fighting kbuild to make this happen.= =C2=A0 I
> > think I got it mostly working.
> >
> >> - debug symbols: modules are stripped when installing them, a= nd taking
> >> the hash needs to be done afterwards
> >
> > I don't know whether this is cleanly fixable directly.=C2=A0 = We could add a
> > way for distros to hook the build process so that they can insert= the
> > strip operation in the right place.=C2=A0 We could also have
> > CONFIG_STRIP_MODULES that automatically splits the debug info out= from
> > the modules.
> >
> >>
> >> Then,c-ize a build time sorted list of hashes, and do a binar= y search
> >> at verification time.
> >
> > Would you believe I'm implementing exactly that algorithm? :)=
> >
>
> Been there, done that :-)

Do you have code you can share?=C2=A0 I'm always in favo= r of doing less work!

--94eb2c125290e048ff05391b8fb4--