[Ksummit-discuss] Last minute nominations: mcgrof and toshi
Andy Lutomirski
luto at amacapital.net
Tue Aug 2 19:17:02 UTC 2016
On Aug 2, 2016 12:14 PM, "Ard Biesheuvel" <ard.biesheuvel at linaro.org> wrote:
>
> On 2 August 2016 at 21:08, Andy Lutomirski <luto at amacapital.net> wrote:
> > On Tue, Aug 2, 2016 at 12:02 PM, Ard Biesheuvel
> > <ard.biesheuvel at linaro.org> wrote:
> >> On 2 August 2016 at 20:55, Andy Lutomirski <luto at amacapital.net> wrote:
> >>> On a related topic: last year or so, I argued that
> >>> CONFIG_MODULE_SIG_ALL and, more generally, the idea that in-tree
> >>> modules should be signed, is a suboptimal design. Instead, I think
> >>> that the kernel shoud just learn to recognize its in-tree modules by
> >>> hash. This would allow reproducible builds, get rid of the
> >>> autogenerated key, and would allow distros that don't support binary
> >>> modules to avoid needing the asymmetric key infrastructure at all (for
> >>> modules, anyway -- firmware is a different story. But a firmware
> >>> signing key doesn't interfere with the kernel build process the way
> >>> that an in-tree module signing key does.)
> >>>
> >>> On the theory that code speaks louder than vitriol, I decided to try
> >>> to implement it. The actual code is trivial (I expect under 50 lines
> >>> *total* for the compile-time and run-time parts together), but
> >>> convincing make to build the thing is a real pain in the arse.
> >>>
> >>> So expect code from me before KS unless I really get stuck fighting
> >>> kbuild. And, unless anyone objects, I intend to propose that we
> >>> delete CONFIG_MODULE_SIG_ALL entirely once this thing works.
> >>>
> >>
> >> This is exactly what I implemented for TomTom years ago, and the only
> >> issues I remember from the top of my head were:
> >> - build order: vmlinux needs to be built after the modules, but
> >> currently, building the modules requires vmlinux to be built already
> >
> > I am, literally right now, fighting kbuild to make this happen. I
> > think I got it mostly working.
> >
> >> - debug symbols: modules are stripped when installing them, and taking
> >> the hash needs to be done afterwards
> >
> > I don't know whether this is cleanly fixable directly. We could add a
> > way for distros to hook the build process so that they can insert the
> > strip operation in the right place. We could also have
> > CONFIG_STRIP_MODULES that automatically splits the debug info out from
> > the modules.
> >
> >>
> >> Then,c-ize a build time sorted list of hashes, and do a binary search
> >> at verification time.
> >
> > Would you believe I'm implementing exactly that algorithm? :)
> >
>
> Been there, done that :-)
Do you have code you can share? I'm always in favor of doing less work!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/ksummit-discuss/attachments/20160802/c70bcc32/attachment-0001.html>
More information about the Ksummit-discuss
mailing list