Re: Verified Boot, Secure Boot, dm-verity, debcheckroot

To: debian-security@lists.debian.org
Subject: Re: Verified Boot, Secure Boot, dm-verity, debcheckroot
From: Sylvain Beucler <beuc@beuc.net>
Date: Sat, 16 Nov 2019 15:33:58 +0100
Message-id: <[🔎] 791c6f52-ad6d-a4eb-3d6f-741e3a40ceb1@beuc.net>
In-reply-to: <[🔎] 8b3b232f-003c-f780-1c13-367ba541b4ff@gmail.com>
References: <b2489138-53ee-e747-31cc-cdce48339dbe@zoho.com> <c73abd85-7913-5bea-fac0-960aebc11ff4@gmail.com> <326068cc-a7e0-65c6-1a2c-b628167b149f@zoho.com> <65dc8df4-3a6d-2358-973e-b662b9dd0dfe@gmail.com> <45d5d22e-93a7-3d91-12b8-a9e1af694db8@zoho.com> <d0ed4d53-cb7c-4e06-641b-c50cb0541230@gmail.com> <0820fd1a-ec6c-7e6a-7bcd-389094baa23d@zoho.com> <24854c1e-ea42-6e9d-bdbf-f4c73cfd48b2@gmail.com> <[🔎] 0b632051-8aa2-a6fa-7e3f-e0f1c37e3d6c@gmail.com> <[🔎] 7dddde58-6d6e-e079-c41f-3b18c24868ac@riseup.net> <[🔎] 8b3b232f-003c-f780-1c13-367ba541b4ff@gmail.com>

Hi,

On 16/11/2019 15:22, Elmar Stellnberger wrote:
>
>> There are tools that can help with checking all files on the hard drive
>> such as `debsums`. However, while `debsums` is more popular, it is
>> unsuitable.
>>
>> Quote https://www.elstel.org/debcheckroot/
>>
>> ...
>> During development of Verifiable Builds experiences were made with
>> verification of MBR, VBR, bootloader, partition table, kernel and
>> initrd. Source code was created to analyze such files.
>>
>> https://www.whonix.org/wiki/Verifiable_Builds
>
> regarding verifiable builds with gcc, flex, bison, etc.:
>
> I have recompiled some of my self-written source code lately with gcc
> and the executables and object files were exactly the same.
> So when is a build now deterministic?
> I would be interested in comparing compilation results of the kernel
> sources. Does anyone know what needs to be met for these to be
> deterministic?
> From what Debian/gcc version on are deterministic builds supported? I
> remember this was a well discussed issue some time ago.
> I have a self compiled kernel under Debian8. I guess that one would
> not have been built deterministic?
> It is an issue to verify a self compiled kernel (I need to use the
> patch from https://www.elstel.org/software/hunt-for-4K-UHD-2160p.html.en).

The output can vary depending on build path, build date, files ordering,
and of course build dependencies.
For the compiler it is recommended to set SOURCE_DATE_EPOCH to trigger
deterministic behavior.

https://reproducible-builds.org/docs/ has a lot more on this :)

Cheers!
Sylvain

Reply to:

References:
- debcheckroot v2.0 released
  - From: Elmar Stellnberger <estellnb@gmail.com>
- Verified Boot, Secure Boot, dm-verity, debcheckroot
  - From: Patrick Schleizer <adrelanos@riseup.net>
- Re: Verified Boot, Secure Boot, dm-verity, debcheckroot
  - From: Elmar Stellnberger <estellnb@gmail.com>

Prev by Date: Re: Verified Boot, Secure Boot, dm-verity, debcheckroot
Next by Date: Re: Verified Boot, Secure Boot, dm-verity, debcheckroot
Previous by thread: Re: Verified Boot, Secure Boot, dm-verity, debcheckroot
Next by thread: Re: Verified Boot, Secure Boot, dm-verity, debcheckroot
Index(es):
- Date
- Thread