Re: Compatibility between kernel and modules

To: debian-kernel@lists.debian.org
Subject: Re: Compatibility between kernel and modules
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 14 Dec 2022 09:47:33 +0100
Message-id: <[🔎] Y5mNpX+75jYRKYYF@eldamar.lan>
Mail-followup-to: debian-kernel@lists.debian.org
In-reply-to: <[🔎] Y5SJMI6yaomKm7jq@shell.thinkmo.de>
References: <[🔎] Y5SJMI6yaomKm7jq@shell.thinkmo.de>

Hi Bastian,

Thanks for raising the topic.

On Sat, Dec 10, 2022 at 02:27:12PM +0100, Bastian Blank wrote:
> Hi
> 
> Our documented, I think, policy is, that we don't support loading new
> modules into an old kernel within the same ABI.  This forces a reboot
> after kernel installation.
> 
> However in a lot of cases this just worked.  You could update the kernel
> package and continue loading most modules.
> 
> Now we have BTF support enabled, which trashes this compatibility
> mostly, as it requires a way more strict match between kernel image and
> modules.
> 
> We need to fix that somehow.  Options are as far as I see
> - remove BTF from modules,
> - allow to load modules even on BTF mismatch, or
> - reinforce that a user can't do that.
> 
> If we go with the last option we would have also some direct advantages.
> We could stop signing modules with the secure boot key, but use a
> temporary key.  This would for a system with signature checking enabled
> effectively trash all possibilities to load modules for a different
> kernel build.
> 
> This would do directly for use:
> - A way faster build, as we don't longer require multi-10k signatures,
>   but only a handfull, from the HSM.
> - We might be forced by shim/UEFI to support SBAT if we load secure boot
>   signed stuff.  If we just need to revoke the complete kernel, SBAT on
>   the kernel itself is enough.
> - We can do pre-built initramfs and unified image without two rounds in
>   the signing service.
> - We fix the current signatures without certificate chain, but which are
>   still chained to the Debian secure boot CA.  (sign-file simply can't
>   handle cert chains, while the kernel itself can check them on loading.)
> 
> What should we do?

I do agree we have to handle this before the bookworm release. Most of
the time it was a non-issue but only due to the fact that an ABI bump
was the most sensible next step for the upload (recent stable updates
have enough changes per release which makes as well easier rollback
for users in case of issues). So at least in my case I almost every
time bumped ABI, but every time we do not a report about the BTF
mismatch problem get reported.

That said, I'm not sure what we should do. Ben?

Salvatore

Reply to:

References:
- Compatibility between kernel and modules
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: linux_5.10.158-2_source.changes ACCEPTED into proposed-updates
Next by Date: electric bicycle manufacture
Previous by thread: Compatibility between kernel and modules
Next by thread: Re: Compatibility between kernel and modules
Index(es):
- Date
- Thread