Re: [PATCH v2 0/6] module: Introduce hash-based integrity checking

From: Thomas Weißschuh
Date: Tue Feb 04 2025 - 16:08:41 EST

Next message: Liang, Kan: "Re: [PATCH V10 4/4] perf/x86/intel: Support PEBS counters snapshotting"
Previous message: Maciej W. Rozycki: "Re: [PATCH] alpha: Remove IO memcpy and memset"
In reply to: Christian Heusel: "Re: [PATCH v2 0/6] module: Introduce hash-based integrity checking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2025-02-03 14:14:41+0100, Christian Heusel wrote:
> Hey Thomas,
>
> On 25/01/20 06:44PM, Thomas Weißschuh wrote:
> > Thomas Weißschuh (6):
> > kbuild: add stamp file for vmlinux BTF data
> > module: Make module loading policy usable without MODULE_SIG
> > module: Move integrity checks into dedicated function
> > module: Move lockdown check into generic module loader
> > lockdown: Make the relationship to MODULE_SIG a dependency
> > module: Introduce hash-based integrity checking
>
> thanks for working on this!
>
> I had a look at this patch series together with kpcyrd over the weekend
> and we were able to verify that this indeed allows one to get a
> reproducible kernel image with the toolchain on Arch Linux (if the patch
> you mentioned in your cover letter is also applied), which is of course
> great news! :)

Great!
FYI the BTF patch shouldn't be necessary anymore with pahole 1.29.

> We also found a major issues with it, as adding it on top of the v6.13
> kernel and setting the needed config options while removing modules
> signatures made the kernel unable to load any module while also not
> printing any error for the failure, therefore resulting in an early boot
> failure on my machine.
>
> Do you have any clue what could be going wrong here or what we could
> investigate? I have pushed my build config into [this repository][0] and
> also uploaded a prebuilt version (signed with my packager key)
> [here][1] (you can therefore just install it via "sudo pacman -U
> <link>").

I would guess the issue is the usage of INSTALL_MOD_STRIP.

What are the contents of .tmp_module_hashes.c ?
Do they match the hashes from the build directory and package?
You can also enable CONFIG_MODULE_DEBUG and '#define DEBUG' in
kernel/module/hashes.c

> Happy to test more stuff, feel free to CC me on any further revision /
> thread on this!

Will do!

> Cheers,
> Christian
>
> [0]: https://gitlab.archlinux.org/gromit/linux-mainline-repro-test
> [1]: https://pkgbuild.com/~gromit/linux-bisection-kernels/linux-mainline-6.13-1.2-x86_64.pkg.tar.zst

Next message: Liang, Kan: "Re: [PATCH V10 4/4] perf/x86/intel: Support PEBS counters snapshotting"
Previous message: Maciej W. Rozycki: "Re: [PATCH] alpha: Remove IO memcpy and memset"
In reply to: Christian Heusel: "Re: [PATCH v2 0/6] module: Introduce hash-based integrity checking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]