Re: Compatibility between kernel and modules

To: bluca@debian.org, waldi@debian.org
Cc: debian-kernel@lists.debian.org
Subject: Re: Compatibility between kernel and modules
From: James Addison <jay@jp-hosting.net>
Date: Wed, 11 Jan 2023 12:55:15 +0000
Message-id: <[🔎] CALDQ5Ny3jbTLOckq2YmvnSh9emQspcSubEvC2n9JSjC80GKTZA@mail.gmail.com>

On Thu, 15 Dec 2022 11:10:52AM +0000, Luca Boccassi wrote:
> On Sat, Dec 10, 2022 at 02:27:12PM +0100, Bastian Blank wrote:
>> If we go with the last option we would have also some direct advantages.
>> We could stop signing modules with the secure boot key, but use a
>> temporary key.  This would for a system with signature checking enabled
>> effectively trash all possibilities to load modules for a different
>> kernel build.

>> What should we do?

> +1 on using the ephemeral key from me, those advantages seem to
> outweight the drawbacks. It should be possible, in theory, to teach
> diffoscope to ignore the embedded ephemeral public key in the kernel
> image when comparing builds?

Would using a multi-stage module-signing approach[1] help?  (if I
understand correctly, the embedded certificate material should be
static and thus reproducible)

[1] - https://www.kernel.org/doc/html/v6.1/kbuild/reproducible-builds.html#module-signing

(note: apologies for the lack of an in-reply-to email header on this
message.  I'm not subscribed to the list but wanted to add a reply,
and couldn't figure out how to set that header manually in the email
client I'm using)

Reply to:

Prev by Date: Bug#1028463: linux: enable MEI options for Intel ARC
Next by Date: Bug#996839: [PATCH v1] perf script flamegraph: Avoid d3-flame-graph package dependency
Previous by thread: Bug#1028463: linux: enable MEI options for Intel ARC
Next by thread: Processed: Found in 6.1.4-1
Index(es):
- Date
- Thread