Differences between revisions 121 and 122
Revision 121 as of 2014-02-10 10:57:22
Size: 10994
Editor: ?Mempo
Comment:
Revision 122 as of 2014-02-10 11:07:37
Size: 11277
Editor: ?Mempo
Comment: link grsec ; doc goal
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
{{{#!wiki note
Line 4: Line 4:
}}}
Line 15: Line 14:
== Grsecurity == == Goal ==

Users should be able to rebuild identical kernel that matches the distributed .deb files, to know that they do not contain a virus added on top of the source code.

<<Anchor(grsecurity)>>
== optional Grsecurity ==
Line 20: Line 24:
To fully use Grsecurity kernel you /!\ '''must''' follow steps in [[#install]]. (Note to editors: please leave this secion/anchor even if this topic would be moved)

To fully use Grsecurity kernel you /!\ '''must''' follow steps in [[#install]]!

SameKernel - Deterministic Kernel - allows to build Kernel in verificable way to know if .deb indeed matches the source code of kernel without added backdoors/viruses.

https://wiki.debian.org/icon?action=AttachFile&do=get&target=ver8.png beta-testing as of 2014-02-10:

  • this is a beta-version. ?Mempo team will help you on irc://irc.oftc.net/#mempo (or chat-webpage or ?anonymous) please wait up to 48 hours for our reply!

  • Linux kernel only, testing on amd64 (and i386?)
  • includes by default #grsecurity, but that can be easily removed

News: https://github.com/mempo/deterministic-kernel/commits/master :) and #mempo

Goal

Users should be able to rebuild identical kernel that matches the distributed .deb files, to know that they do not contain a virus added on top of the source code.

optional Grsecurity

In our SameKernel script, grsecurity is enabled by default;

To disable it, just remove grsecurity line in script's sources.list) and then run the build.

(Note to editors: please leave this secion/anchor even if this topic would be moved)

To fully use Grsecurity kernel you /!\ must follow steps in #install!

Releases and Downloads

Version v0.1.25-rc2

  • wheezy, with grsecurity/mempo, variant "?good"

    • linux-image-3.2.54-grsec-mempo.good.0.1.25_02_amd64.deb = sha256:589a30c6902679d0e9e359ae218a03d1876bcc6eb1049b60c823a45191e9cad9 mirror1

    • linux-headers-3.2.54-grsec-mempo.good.0.1.25_02_amd64.deb = sha256:2c52b8d6c4a9f0de9371ce16e256cbac781c15191b67cf997e17426b96043d82 mirror1

  • wheezy, without grsecurity
    • not tested yet (TODO)
    • not tested yet (TODO)

Install kernel from SameKernel

  • Get the .deb files either from download or build.

  • install them with dpkg -i thefiles.deb

  • /!\ for grsecurity version you must run the [[https://wiki.debian.org/grsecurity/setfattr|setfattr script for grsecurity] (and other instructions there - enable user_xattr) or otherwise JIT-using programs like java, python, firefox, icedove etc will be prohibited from running!

  • if you are interested in security for more kernel-related and other tools see: ?Mempo#install

Progress

Steps of this project:

  • (./) Step1 configure kernel build to create identical intermittent files: .o

  • (./) Step2 configure kernel build to create identical final files: .ko

  • (./) Step3 identical .gz files (docs?)

  • (./) Step4 have identical all files and vmlinux including vmlinux .notes

  • (./) Step5 have identical .deb files on the same machine

  • (./) Step6 have identical .deb files on different machines :-) (this works, provided username kernelbuild and directory /home/kernelbuild/deterministic-kernel/)

  • (./) Step6b fix varying xz header/tail between some machines ( /Test#v0.1.23-rc1_buildA )

  • Step7a remove requirement of having same directory
  • Step7b remove requirement of having same username
  • Step8 test if hostname, and timezone are ignored
  • Step9 any other differences between alpha-testers doing the verification

See general instructions for all programs: ReproducibleBuilds .

We created a script that does this deterministic build in a bit more automated way with added:

  • verification of downloaded sources (check against hardcoded in script list of expected checksums of sources; also check PGP signature with hardcoded public key of kernel developers)
  • apply security patches for the ?Mempo subproject

  • grsecurity patch - http://grsecurity.net/

  • misc patches if needed (e.g. quick fixes regarding security)

This page should be usable for everyone in Debian, and script we're writing will be later easy to run in pure-Debian mode too.

Build

Build from sources easily - get the software and publish (PGP-signed) cheksums confirmation so that other users can trust the binary .deb we publish.

/!\ Extra tools that are not-standard-wheezy and are installed globally:

  • GNU gettext >= 0.18.2 (install them from official debian-wheezy backports)

/!\ Extra tools that do not need any non-standard global changes:

  • User local installation of dpkg pu/reproducible_builds - instructions below

  • As root from normal repository install faketime (in wheezy) and other common programs

Prepare dependencies for Build

As root :

apt-get install faketime time git build-essential libncurses5-dev libncursesw5-dev kernel-package md5deep gcc-4.7-plugin-dev g++ make time automake pkg-config flex

Create user for kernel build

/!\ At this moment, to get the same *.deb kernel files on different machines, build must be run on the same user!

Create unix user kernelbuild.

Get and build dpkg

We are using Lunar's branch of dpkg: pu/reproducible_builds. We need GNU gettext >= 0.18.2, therefore on wheezy please add:

http://YOURMIRROR.debian.org/debian wheezy-backports main

to /etc/apt/sources.list and run:

# aptitude update
# aptitude install -t wheezy-backports gettext autopoint

Please use ?Mempo's script: https://github.com/mempo/mempo-deb/tree/master/pack/dpkg that will fetch, build and install reproducible-dpkg locally (no need to upgrade your system wide dpkg) (it will delete our old directory in home without asking)

cd ~
rm -rf mempo-deb/
git clone https://github.com/mempo/mempo-deb
cd mempo-deb/pack/dpkg
./build-and-install-locally.sh

Run kernel compilation

In home directory run (it will delete our old directory in home without asking)

cd ~
rm -rf deterministic-kernel/ ; git clone https://github.com/mempo/deterministic-kernel.git && cd deterministic-kernel/  && bash run.sh

press ENTER to confirm (e.g. the download) and then kernel should build :)

/!\ (Or better execute this by hand and check sha1sum of git version)

How this works

Following fixes are applied:

  • (TODO update this doc)
  • (./) set env options like USER, HOST

  • (./) faketime

  • (./) replace TIME with given time in kernel sources (maybe not needed since faketime, however it's cleaner solution to the problem)

  • (./) overlay fix-md5sums-sort.patch

  • (./) overlay fix-remove-debuglink.patch (probably not needed because of pu/reproducible_builds debhelper)

  • (./) overlay fix-kpkg-gz.patch (probably not needed because of pu/reproducible_builds dpkg)

  • (./) overlay fix-deterministic-buildinfo.patch

  • (./) change build-id to build-id=none (not sure if needed, will be tested)

  • (./) tar --mtime and sorting files are managed by reproducible dpkg

  • (./) deterministic ar is set by reproducible dpkg

  • (./) force always same XZ options: CRC and compression in ?our dpkg from Mempo

Trust chain

For ?Mempo-Kernel: obtain the .deb from mempo repository, then check checksum of it with trustworthy people who did build .deb from source and seen it produces same binary as in repository.

  • YOU: check checksum of .deb and look for trusted 3rd party signed message that such .deb is fine.
  • Volunteers: will spend the 2-3 hours needed to build and verify our .deb and then confirm you can trust the .deb with given checksum.

So the full chain trust is:

  • you should install the .deb of Kernel
  • if this is the official Debian Kernel, after Debian will use the script/technique described here, then this .deb is signed by apt-get GPG key so you trust it implicitly - all done. And you are able to repeat the build process to verify if the apt-get GPG key was not compromised.
  • if this is for the ?Mempo-Kernel, then until this flavour is hopefully included in Official Debian as another kernel option, it is not signed by GPG key of Debian official apt-get.

  • in this case, verify if the .deb file you downloaded is signed by security@mempo.org

  • but how do you verify is security@mempo.org is not compromised nor malicious?

  • for this verification, you can build the kernel yourself as described here
  • compare the content of provided and builded .deb with eachother
  • if matching, you can publish that "Kernel .deb file with checksum sha512:........ was unpacked and verified to match results of compilation from source by me" so others can do it easier.

In time, we will upgrade the build script to have the final .deb file identical, then procedure is even faster (just run run.sh and publish sha512 of your .deb).

?Mempo project might release the .deb in own repository for easy installation for people that want this.

Ultimately, Debian.org might one day officially include Mempo-kernel in Debian repository (though, even then checksum based verification will be more secure, in case of ftp master key being compromised).

FAQ

FAQ posts solutions to common questions and problems:

wrong checksum on file (on linux kernel)

probably file was corrupted in the cached download on your hard drive, in ~/Downloads/linux... or in kernel-sources/ where you build SameKernel. Delete this partially download file, and script will re-download. -or- in rare cases it could mean network download error, or actual attack on you (DNS spoof/network takeover - and sending malicious file instead), in such case back up the file and report people you trust / security researchers

wrong checksum on file (other file, included in SameKernel)
files corrupted on disk, or mistake in our script/sources listing. Contact us
error unknown option '-' to gzip

error caused by unknown problem, seen by us 1 time so far, please tell us on IRC if you see it too

wrong dpkg version
do as the error message says.
can not run as root
do as the error message says.
wrong username
do as the error message says.
wrong directory
do as the error message says.

Test

Tests - please test this script and report any problems to ?Mempo and on IRC #mempo also add here to wiki in /Test

CategoryKernel