Hash-Based Integrity Checking Proposed For Linux To Help With Reproducible Builds
([Linux Kernel] 26 December 06:00 AM EST
Reproducible Kernel Builds)
- Reference: 0001514897
- News link: https://www.phoronix.com/news/Hash-Based-Integrity-Linux-RB
- Source link:
An interesting request for comments (RFC) patch series was posted on Christmas for introducing hash-based integrity checking to help with the reproducible builds initiative around the Linux kernel.
Linux developer Thomas Weißschuh who has been involved with Linux laptop improvements and other kernel enhancements posted the RFC patches for hash-based integrity checking. Weißschuh explained the work and summed it up rather well in the patch cover letter:
"The current signature-based module integrity checking has some drawbacks in combination with reproducible builds: Either the module signing key is generated at build time, which makes the build unreproducible, or a static key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated. Introduce a new mechanism to ensure only well-known modules are loaded by embedding a list of hashes of all modules built as part of the full kernel build into vmlinux."
This would be of big help for the reproducible builds initiative for being able to carry out bit-for-bit independently-verifiable path from source code to binaries.
There remain some open design questions and other features that could be tacked onto this hash-based integrity checking for kernel modules but those interested can find the patches via [1]this kernel mailing list thread .
[1] https://lore.kernel.org/lkml/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net/
Linux developer Thomas Weißschuh who has been involved with Linux laptop improvements and other kernel enhancements posted the RFC patches for hash-based integrity checking. Weißschuh explained the work and summed it up rather well in the patch cover letter:
"The current signature-based module integrity checking has some drawbacks in combination with reproducible builds: Either the module signing key is generated at build time, which makes the build unreproducible, or a static key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated. Introduce a new mechanism to ensure only well-known modules are loaded by embedding a list of hashes of all modules built as part of the full kernel build into vmlinux."
This would be of big help for the reproducible builds initiative for being able to carry out bit-for-bit independently-verifiable path from source code to binaries.
There remain some open design questions and other features that could be tacked onto this hash-based integrity checking for kernel modules but those interested can find the patches via [1]this kernel mailing list thread .
[1] https://lore.kernel.org/lkml/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net/
phoronix