Removing the CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG checks in the first two patches is correct, as previously mentioned. However without these Kconfigs being enabled, the IMA arch specific policy defines and enforces signature verification based on the signatures stored in security.ima. I doubt this is what was intended. Changes would be needed in ima_appraise_measurement(). It's not enough to test whether the policy permits appended signatures (modsig), but to detect whether CONFIG_MODULE_SIG is enabled. In addition, similar support to try_modsig, needs to be added for CONFIG_MODULE_HASHES. thanks, Mimi > > Interest has been proclaimed by NixOS, Arch Linux, Proxmox, SUSE and the > general reproducible builds community. > > To properly test the reproducibility in combination with CONFIG_INFO_BTF > another patch or pahole v1.29 is needed: > "[PATCH bpf-next] kbuild, bpf: Enable reproducible BTF generation" [0] > > Questions for current patch: > * Naming > * Can the number of built-in modules be retrieved while building >  kernel/module/hashes.o? This would remove the need for the >  preallocation step in link-vmlinux.sh. > * How should this interaction with IMA? > > Further improvements: > * Use a LSM/IMA Keyring to store and validate hashes > * Use MODULE_SIG_HASH for configuration > * UAPI for discovery? > * Currently has a permanent memory overhead > > [0] > https://lore.kernel.org/lkml/20241211-pahole-reproducible-v1-1-22feae19bad9@xxxxxxxxxxxxxx/ > > Signed-off-by: Thomas Wei�schuh <linux@xxxxxxxxxxxxxx> > --- > Changes in v3: > - Rebase on v6.15-rc1 > - Use openssl to calculate hash > - Avoid warning if no modules are built > - Simplify module_integrity_check() a bit > - Make incompatibility with INSTALL_MOD_STRIP explicit > - Update docs > - Add IMA cleanups > - Link to v2: > https://lore.kernel.org/r/20250120-module-hashes-v2-0-ba1184e27b7f@xxxxxxxxxxxxxx > > Changes in v2: > - Drop RFC state > - Mention interested parties in cover letter > - Expand Kconfig description > - Add compatibility with CONFIG_MODULE_SIG > - Parallelize module-hashes.sh > - Update Documentation/kbuild/reproducible-builds.rst > - Link to v1: > https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@xxxxxxxxxxxxxx > > --- > Thomas Wei�schuh (9): >      powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG >      ima: efi: Drop unnecessary check for > CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG >      kbuild: add stamp file for vmlinux BTF data >      kbuild: generate module BTF based on vmlinux.unstripped >      module: Make module loading policy usable without MODULE_SIG >      module: Move integrity checks into dedicated function >      module: Move lockdown check into generic module loader >      lockdown: Make the relationship to MODULE_SIG a dependency >      module: Introduce hash-based integrity checking > >  .gitignore                                  | 1 + >  Documentation/kbuild/reproducible-builds.rst | 5 ++- >  Makefile                                    | 8 +++- >  arch/powerpc/kernel/ima_arch.c              | 3 +- >  include/asm-generic/vmlinux.lds.h           | 11 ++++++ >  include/linux/module.h                      | 8 ++-- >  include/linux/module_hashes.h               | 17 +++++++++ >  kernel/module/Kconfig                       | 21 ++++++++++- >  kernel/module/Makefile                      | 1 + >  kernel/module/hashes.c                      | 56 > ++++++++++++++++++++++++++++ >  kernel/module/internal.h                    | 8 +--- >  kernel/module/main.c                        | 51 ++++++++++++++++++++++--- >  kernel/module/signing.c                     | 24 +----------- >  scripts/Makefile.modfinal                   | 18 ++++++--- >  scripts/Makefile.modinst                    | 4 ++ >  scripts/Makefile.vmlinux                    | 5 +++ >  scripts/link-vmlinux.sh                     | 31 ++++++++++++++- >  scripts/module-hashes.sh                    | 26 +++++++++++++ >  security/integrity/ima/ima_efi.c            | 6 +-- >  security/lockdown/Kconfig                   | 2 +- >  20 files changed, 250 insertions(+), 56 deletions(-) > --- > base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8 > change-id: 20241225-module-hashes-7a50a7cc2a30 > > Best regards,
