{"id":2232784,"url":"http://patchwork.ozlabs.org/api/1.2/covers/2232784/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/cover/20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net/","project":{"id":2,"url":"http://patchwork.ozlabs.org/api/1.2/projects/2/?format=json","name":"Linux PPC development","link_name":"linuxppc-dev","list_id":"linuxppc-dev.lists.ozlabs.org","list_email":"linuxppc-dev@lists.ozlabs.org","web_url":"https://github.com/linuxppc/wiki/wiki","scm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git","webscm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/","list_archive_url":"https://lore.kernel.org/linuxppc-dev/","list_archive_url_format":"https://lore.kernel.org/linuxppc-dev/{}/","commit_url_format":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id={}"},"msgid":"<20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net>","list_archive_url":"https://lore.kernel.org/linuxppc-dev/20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net/","date":"2026-05-05T09:05:04","name":"[v5,00/14] module: Introduce hash-based integrity checking","submitter":{"id":82751,"url":"http://patchwork.ozlabs.org/api/1.2/people/82751/?format=json","name":"Thomas Weißschuh","email":"linux@weissschuh.net"},"mbox":"http://patchwork.ozlabs.org/project/linuxppc-dev/cover/20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net/mbox/","series":[{"id":502791,"url":"http://patchwork.ozlabs.org/api/1.2/series/502791/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=502791","date":"2026-05-05T09:05:17","name":"module: Introduce hash-based integrity checking","version":5,"mbox":"http://patchwork.ozlabs.org/series/502791/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2232784/comments/","headers":{"Return-Path":"\n <linuxppc-dev+bounces-20470-incoming=patchwork.ozlabs.org@lists.ozlabs.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linuxppc-dev@lists.ozlabs.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=weissschuh.net header.i=@weissschuh.net\n header.a=rsa-sha256 header.s=mail header.b=LMrZa8UP;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org\n (client-ip=2404:9400:21b9:f100::1; helo=lists.ozlabs.org;\n envelope-from=linuxppc-dev+bounces-20470-incoming=patchwork.ozlabs.org@lists.ozlabs.org;\n receiver=patchwork.ozlabs.org)","lists.ozlabs.org;\n arc=none smtp.remote-ip=\"2a01:4f8:c010:41de::1\"","lists.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net","lists.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=weissschuh.net header.i=@weissschuh.net\n header.a=rsa-sha256 header.s=mail header.b=LMrZa8UP;\n\tdkim-atps=neutral","lists.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=weissschuh.net\n (client-ip=2a01:4f8:c010:41de::1; helo=todd.t-8ch.de;\n envelope-from=linux@weissschuh.net; receiver=lists.ozlabs.org)"],"Received":["from lists.ozlabs.org (lists.ozlabs.org\n [IPv6:2404:9400:21b9:f100::1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g8tBB1Y1lz1yJV\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 05 May 2026 19:14:26 +1000 (AEST)","from boromir.ozlabs.org (localhost [127.0.0.1])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 4g8t9H5Cvvz3bjD;\n\tTue, 05 May 2026 19:13:39 +1000 (AEST)","from todd.t-8ch.de (todd.t-8ch.de [IPv6:2a01:4f8:c010:41de::1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 4g8t994Bvsz2xMV\n\tfor <linuxppc-dev@lists.ozlabs.org>; Tue, 05 May 2026 19:13:33 +1000 (AEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1777972419;\n\tcv=none;\n b=SxUyrjd+ehE5vlrxsq8U2IuR2Kzask6eXMKhL+p7HVhDmu1+sjM55m86R5fbfFPzR26eggs+Z3Y0C0xxA2Nb366WCJIk7FXgGY056lsIql5yLsyqdWxxct2A8DazouFpqKKreaBCn29g7skixHNeMHm+gyNXHmjkTsANTE6NNftBZvltBdr3fCHYVVx6+I9FtQpgXa9oi4ok+vvt15FHLcHqkGhWwqxFeL1ldvBzDmPFhTk1J7Jyk72WDFmyFn2JyQglySJPg8qYxbbZGhlEZyTMHOtwKCvAsPj5+0kcg4krdrEe8FPeN3TBL4jETZJLH1RH6FZmoDL/1uVM+WhvHw==","ARC-Message-Signature":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707;\n\tt=1777972419; c=relaxed/relaxed;\n\tbh=q1WKuPixKas8/Na99fAqYUbllmTgdW23TCYIUWSaFbg=;\n\th=From:Subject:Date:Message-Id:MIME-Version:Content-Type:To:Cc;\n b=ST/Y0K8trGilF1285H3VOFyE8xOdVpu74QY94eNQUdCIPowjI5M2KmWHbgI9a/4WKKH/Y1UUnB7Q2+c1MtaVNEpx6QyclrxUgGAEG9a4UsuVhW5Mo5/jGXkINb0jgslTrM3SEnzdk09AKJ/mrN2yy7uUPDNXZ7GpDeNJ3nVxHHRVC9STNpsLR5A4SQMApbbiPdQP3CjiQwI1Fj3wdZMfzkRU0EC2RJ2D6fY+SqTEiiDnzrlxmm4SGss3/2DnDv9kt+x1fuHCgCq+JZBR12d91le6s1/kt+b59gT6tjJsUNkbZv0x4hmqRrUFxy4bup12nIf80AegTb8gvS335sEXHA==","ARC-Authentication-Results":"i=1; lists.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net;\n dkim=pass (1024-bit key;\n unprotected) header.d=weissschuh.net header.i=@weissschuh.net\n header.a=rsa-sha256 header.s=mail header.b=LMrZa8UP; dkim-atps=neutral;\n spf=pass (client-ip=2a01:4f8:c010:41de::1; helo=todd.t-8ch.de;\n envelope-from=linux@weissschuh.net;\n receiver=lists.ozlabs.org) smtp.mailfrom=weissschuh.net","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net;\n\ts=mail; t=1777971922;\n\tbh=3+TfV+G2pdtyPon4UoiayN0MzOd9dLRawRkDkEmqgQk=;\n\th=From:Subject:Date:To:Cc:From;\n\tb=LMrZa8UPBgDJoGIsTna8H4ZvARP53soQigqMBW1IArgIR1gf6B9u0afV70UvF1Uin\n\t jY7hg4rJog4rDzYGOXybUL/fOAPQdxnme7eKMB1xSTM2jyWQ7Rglh8OxRK5megVbEz\n\t wRQOU4R0TgMW8eukf1MmwueT3G6MQvi+aspNjLe8=","From":"=?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net>","Subject":"[PATCH v5 00/14] module: Introduce hash-based integrity checking","Date":"Tue, 05 May 2026 11:05:04 +0200","Message-Id":"<20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net>","X-Mailing-List":"linuxppc-dev@lists.ozlabs.org","List-Id":"<linuxppc-dev.lists.ozlabs.org>","List-Help":"<mailto:linuxppc-dev+help@lists.ozlabs.org>","List-Owner":"<mailto:linuxppc-dev+owner@lists.ozlabs.org>","List-Post":"<mailto:linuxppc-dev@lists.ozlabs.org>","List-Archive":"<https://lore.kernel.org/linuxppc-dev/>,\n  <https://lists.ozlabs.org/pipermail/linuxppc-dev/>","List-Subscribe":"<mailto:linuxppc-dev+subscribe@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-digest@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-nomail@lists.ozlabs.org>","List-Unsubscribe":"<mailto:linuxppc-dev+unsubscribe@lists.ozlabs.org>","Precedence":"list","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"8bit","X-B4-Tracking":"v=1; b=H4sIAAAAAAAC/3XMy2rDMBCF4VcJWldlZiRFUVZ5j9KFLuNIkNrBS\n tyW4HevHAgFN13+B853E5XHwlXsNzcx8lRqGfoW5mUjYvb9kWVJrQUBaSQy8mNI1xPL7GvmKq0\n 34G2M5BWI9jmP3JWvu/f23jqXehnG7zs/4bL+J00oQSaLENl61SU8fHKptcZ8za89X8TCTfQgD\n CDBmqBGBI+400w22O4poX4JTW5NqEYAsCOzS9w5fkroB7EFRLUm9EIEpygFF8w2/CHmef4BycC\n Oj3gBAAA=","X-Change-ID":"20241225-module-hashes-7a50a7cc2a30","To":"Alexei Starovoitov <ast@kernel.org>,\n Daniel Borkmann <daniel@iogearbox.net>, Andrii Nakryiko <andrii@kernel.org>,\n Eduard Zingerman <eddyz87@gmail.com>,\n Kumar Kartikeya Dwivedi <memxor@gmail.com>,\n Nathan Chancellor <nathan@kernel.org>, Nicolas Schier <nsc@kernel.org>,\n Arnd Bergmann <arnd@arndb.de>, Luis Chamberlain <mcgrof@kernel.org>,\n Petr Pavlu <petr.pavlu@suse.com>, Sami Tolvanen <samitolvanen@google.com>,\n Daniel Gomez <da.gomez@samsung.com>, Paul Moore <paul@paul-moore.com>,\n James Morris <jmorris@namei.org>, \"Serge E. Hallyn\" <serge@hallyn.com>,\n Jonathan Corbet <corbet@lwn.net>, Madhavan Srinivasan <maddy@linux.ibm.com>,\n Michael Ellerman <mpe@ellerman.id.au>, Nicholas Piggin <npiggin@gmail.com>,\n Naveen N Rao <naveen@kernel.org>, Mimi Zohar <zohar@linux.ibm.com>,\n Roberto Sassu <roberto.sassu@huawei.com>,\n Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,\n Eric Snowberg <eric.snowberg@oracle.com>,\n Nicolas Schier <nicolas.schier@linux.dev>,\n Daniel Gomez <da.gomez@kernel.org>, Aaron Tomlin <atomlin@atomlin.com>,\n \"Christophe Leroy (CS GROUP)\" <chleroy@kernel.org>,\n Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr>,\n Xiu Jianfeng <xiujianfeng@huawei.com>,\n Christophe Leroy <chleroy@kernel.org>","Cc":"Martin KaFai Lau <martin.lau@linux.dev>, Song Liu <song@kernel.org>,\n  Yonghong Song <yonghong.song@linux.dev>, Jiri Olsa <jolsa@kernel.org>,\n  bpf@vger.kernel.org,\n =?utf-8?q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>,\n  Arnout Engelen <arnout@bzzt.net>, Mattia Rizzolo <mattia@mapreri.org>,\n  kpcyrd <kpcyrd@archlinux.org>, Christian Heusel <christian@heusel.eu>,\n\t=?utf-8?q?C=C3=A2ju_Mihai-Drosi?= <mcaju95@gmail.com>,\n  Eric Biggers <ebiggers@kernel.org>,\n  Sebastian Andrzej Siewior <bigeasy@linutronix.de>,\n  linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,\n  linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,\n  linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,\n  linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org,\n  debian-kernel@lists.debian.org,\n =?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net>","X-Mailer":"b4 0.15.2","X-Developer-Signature":"v=1; a=ed25519-sha256; t=1777971921; l=7338;\n i=linux@weissschuh.net; s=20221212; h=from:subject:message-id;\n bh=3+TfV+G2pdtyPon4UoiayN0MzOd9dLRawRkDkEmqgQk=;\n b=B5jNaK8nrebPKZ5DQeOkk+hpzui5ffCiBEg6BGEicy81yoV1XDItYSp0mFpver92Pe1Oxtti+\n zOglNe9yqCQDsVc1y3PKkLJ8f0E9od2X+pmDKCsBbWMM9LZJWIQtHXw","X-Developer-Key":"i=linux@weissschuh.net; a=ed25519;\n pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw=","X-Spam-Status":"No, score=-0.2 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,\n\tDKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=disabled\n\tversion=4.0.1 OzLabs 8","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on lists.ozlabs.org"},"content":"The current signature-based module integrity checking has some drawbacks\nin combination with reproducible builds. Either the module signing key\nis generated at build time, which makes the build unreproducible, or a\nstatic signing key is used, which precludes rebuilds by third parties\nand makes the whole build and packaging process much more complicated.\n\nThe goal is to reach bit-for-bit reproducibility. Excluding certain\nparts of the build output from the reproducibility analysis would be\nerror-prone and force each downstream consumer to introduce new tooling.\n\nIntroduce a new mechanism to ensure only well-known modules are loaded\nby embedding a merkle tree root of all modules built as part of the full\nkernel build into vmlinux.\n\nInterest has been proclaimed by Arch Linux, Debian, Proxmox, SUSE, NixOS\nand the general reproducible builds community.\n\nCompatibility with IMA modsig is not provided yet. It is still unclear\nto me if it should be hooked up transparently without any changes to the\npolicy or it should require new policy options.\n\nBPF/BTF folks, please take a look at patch 1.\n\nFurther improvements:\n* Use MODULE_SIG_HASH for configuration\n* UAPI for discovery?\n\nTo: Nathan Chancellor <nathan@kernel.org>\nTo: Nicolas Schier <nsc@kernel.org>\nTo: Arnd Bergmann <arnd@arndb.de>\nTo: Luis Chamberlain <mcgrof@kernel.org>\nTo: Petr Pavlu <petr.pavlu@suse.com>\nTo: Sami Tolvanen <samitolvanen@google.com>\nTo: Daniel Gomez <da.gomez@samsung.com>\nTo: Paul Moore <paul@paul-moore.com>\nTo: James Morris <jmorris@namei.org>\nTo: Serge E. Hallyn <serge@hallyn.com>\nTo: Jonathan Corbet <corbet@lwn.net>\nTo: Madhavan Srinivasan <maddy@linux.ibm.com>\nTo: Michael Ellerman <mpe@ellerman.id.au>\nTo: Nicholas Piggin <npiggin@gmail.com>\nTo: Christophe Leroy <christophe.leroy@csgroup.eu>\nTo: Naveen N Rao <naveen@kernel.org>\nTo: Mimi Zohar <zohar@linux.ibm.com>\nTo: Roberto Sassu <roberto.sassu@huawei.com>\nTo: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>\nTo: Eric Snowberg <eric.snowberg@oracle.com>\nTo: Nicolas Schier <nicolas.schier@linux.dev>\nTo: Daniel Gomez <da.gomez@kernel.org>\nTo: Aaron Tomlin <atomlin@atomlin.com>\nTo: Christophe Leroy (CS GROUP) <chleroy@kernel.org>\nTo: Nicolas Schier <nsc@kernel.org>\nTo: Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr>\nTo: Xiu Jianfeng <xiujianfeng@huawei.com>\nCc: Fabian Grünbichler <f.gruenbichler@proxmox.com>\nCc: Arnout Engelen <arnout@bzzt.net>\nCc: Mattia Rizzolo <mattia@mapreri.org>\nCc: kpcyrd <kpcyrd@archlinux.org>\nCc: Christian Heusel <christian@heusel.eu>\nCc: Câju Mihai-Drosi <mcaju95@gmail.com>\nCc: Eric Biggers <ebiggers@kernel.org>\nCc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>\nCc: linux-kbuild@vger.kernel.org\nCc: linux-kernel@vger.kernel.org\nCc: linux-arch@vger.kernel.org\nCc: linux-modules@vger.kernel.org\nCc: linux-security-module@vger.kernel.org\nCc: linux-doc@vger.kernel.org\nCc: linuxppc-dev@lists.ozlabs.org\nCc: linux-integrity@vger.kernel.org\nCc: debian-kernel@lists.debian.org\nSigned-off-by: Thomas Weißschuh <linux@weissschuh.net>\n\n---\nChanges in v5:\n- Document tree layout.\n- Make scripts/module-merkle-tree more robust.\n- Remove all changes to link-vmlinux.sh, use vmlinux.unstripped instead.\n- Clean up types and logic in modules-merkle-tree.c.\n- Use \"auth\" over \"integrity\" naming scheme.\n- Reduce the changes to the existing authentication flow.\n- Explicitly send the series to BTF folks for review of BTF changes.\n- Link to v4: https://patch.msgid.link/20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net\n\nChanges in v4:\n- Use as Merkle tree over a linera list of hashes.\n- Provide compatibilith with INSTALL_MOD_STRIP\n- Rework commit messages.\n- Use vmlinux.unstripped over plain \"vmlinux\".\n- Link to v3: https://lore.kernel.org/r/20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net\n\nChanges in v3:\n- Rebase on v6.15-rc1\n- Use openssl to calculate hash\n- Avoid warning if no modules are built\n- Simplify module_integrity_check() a bit\n- Make incompatibility with INSTALL_MOD_STRIP explicit\n- Update docs\n- Add IMA cleanups\n- Link to v2: https://lore.kernel.org/r/20250120-module-hashes-v2-0-ba1184e27b7f@weissschuh.net\n\nChanges in v2:\n- Drop RFC state\n- Mention interested parties in cover letter\n- Expand Kconfig description\n- Add compatibility with CONFIG_MODULE_SIG\n- Parallelize module-hashes.sh\n- Update Documentation/kbuild/reproducible-builds.rst\n- Link to v1: https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net\n\n---\nThomas Weißschuh (14):\n      kbuild: generate module BTF based on vmlinux.unstripped\n      lockdown: Make the relationship to MODULE_SIG a dependency\n      kbuild: rename the strip_relocs command\n      module: Drop pointless debugging message\n      module: Make mod_verify_sig() static\n      module: Switch load_info::len to size_t\n      module: Make module authentication usable without MODULE_SIG\n      module: Move authentication logic into dedicated new file\n      module: Move signature type check out of mod_check_sig()\n      module: Prepare for additional module authentication mechanisms\n      module: update timestamp of modules.order after modules are built\n      module: Introduce hash-based integrity checking\n      kbuild: move handling of module stripping to Makefile.lib\n      kbuild: make CONFIG_MODULE_HASHES compatible with module stripping\n\n .gitignore                                   |   2 +\n Documentation/kbuild/reproducible-builds.rst |   5 +-\n Makefile                                     |   7 +-\n crypto/algapi.c                              |   4 +-\n include/asm-generic/vmlinux.lds.h            |  11 +\n include/linux/module.h                       |  18 +-\n include/linux/module_hashes.h                |  29 ++\n include/uapi/linux/module_signature.h        |   1 +\n kernel/module/Kconfig                        |  29 +-\n kernel/module/Makefile                       |   2 +\n kernel/module/auth.c                         | 139 +++++++++\n kernel/module/hashes.c                       |  95 ++++++\n kernel/module/hashes_root.c                  |   6 +\n kernel/module/internal.h                     |  18 +-\n kernel/module/main.c                         |  16 +-\n kernel/module/signing.c                      | 113 +-------\n kernel/module_signature.c                    |   8 +-\n scripts/.gitignore                           |   1 +\n scripts/Makefile                             |   4 +\n scripts/Makefile.lib                         |  32 +++\n scripts/Makefile.modfinal                    |  28 +-\n scripts/Makefile.modinst                     |  44 +--\n scripts/Makefile.vmlinux                     |  40 ++-\n scripts/include/xalloc.h                     |  29 ++\n scripts/link-vmlinux.sh                      |   3 +-\n scripts/modules-merkle-tree.c                | 416 +++++++++++++++++++++++++++\n security/integrity/ima/ima_modsig.c          |   5 +\n security/lockdown/Kconfig                    |   2 +-\n tools/include/uapi/linux/module_signature.h  |   1 +\n 29 files changed, 919 insertions(+), 189 deletions(-)\n---\nbase-commit: 585c2e775b12ef45bdf9cef5f679dcb1220e0d65\nchange-id: 20241225-module-hashes-7a50a7cc2a30\n\nBest regards,\n--  \nThomas Weißschuh <linux@weissschuh.net>"}