[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Verified Boot, Secure Boot, dm-verity, debcheckroot


On 16/11/2019 15:22, Elmar Stellnberger wrote:
>> There are tools that can help with checking all files on the hard drive
>> such as `debsums`. However, while `debsums` is more popular, it is
>> unsuitable.
>> Quote https://www.elstel.org/debcheckroot/
>> ...
>> During development of Verifiable Builds experiences were made with
>> verification of MBR, VBR, bootloader, partition table, kernel and
>> initrd. Source code was created to analyze such files.
>> https://www.whonix.org/wiki/Verifiable_Builds
> regarding verifiable builds with gcc, flex, bison, etc.:
> I have recompiled some of my self-written source code lately with gcc
> and the executables and object files were exactly the same.
> So when is a build now deterministic?
> I would be interested in comparing compilation results of the kernel
> sources. Does anyone know what needs to be met for these to be
> deterministic?
> From what Debian/gcc version on are deterministic builds supported? I
> remember this was a well discussed issue some time ago.
> I have a self compiled kernel under Debian8. I guess that one would
> not have been built deterministic?
> It is an issue to verify a self compiled kernel (I need to use the
> patch from https://www.elstel.org/software/hunt-for-4K-UHD-2160p.html.en).

The output can vary depending on build path, build date, files ordering,
and of course build dependencies.
For the compiler it is recommended to set SOURCE_DATE_EPOCH to trigger
deterministic behavior.

https://reproducible-builds.org/docs/ has a lot more on this :)


Reply to: