Re: Looking for feedback on CONFIG_MODULE_HASHES for Linux
On Tue, Nov 18, 2025 at 06:32:35PM +0100, Fabian Grünbichler wrote:
> On Thu, Nov 13, 2025, at 9:10 PM, Thomas Weißschuh via rb-general wrote:
> > The current form of the patches can be found at [1], they are only slightly
> > adapted from the previous submission to LKML.
I'll try and take a look at those.
> > adapted from the previous submission to LKML. Remaining open topics before the
> > next submission are proper IMA support and stripping of modules.
Yeah, stripping is a critical feature. My take on that would be
something like that:
- During the build process, not only link .ko, but also directly create
the stripped version as maybe .ko.strip.
- INSTALL_MOD_STRIP will then only select which of the two files to
install, not actually call strip.
As additional thing: To mimic the current behaviour of the Debian
package, where we don't sign the unstripped files shipped for debugging
help, we only want the stripped versions show up as hashes. But this we
could do on our own. In the end this may reduce the attack surface due
to a lot more debugging info.
> > So if you are packaging Linux for your distribution, have looked at my
> > patches
> > and are eager to use them, please let me know. My plan is to talk with
> > the
> > upstream maintainers at the upcoming Linux Plumbers Conference on 11th
> > of December.
> Given the recent discussion on IRC about this, I figured this might be
> the easiest way to get the ball rolling on potentially getting this patch
> series endorsed/.. by the Debian kernel team - or at least getting a
> written expression of interest or further discussion :)
Thank you for bringing this up. Yes, Debian is interested in this patch
set, so we can make our kernel builds reproducible again.
Bastian
--
We Klingons believe as you do -- the sick should die. Only the strong
should live.
-- Kras, "Friday's Child", stardate 3497.2
Reply to: