Differences between revisions 14 and 15
Revision 14 as of 2013-11-26 13:02:54
Size: 2243
Editor: ?Mempo
Comment:
Revision 15 as of 2013-11-26 13:06:17
Size: 2227
Editor: ?Mempo
Comment:
Deletions are marked like this. Additions are marked like this.
Line 33: Line 33:
 * Authors: members of Mempo project
 * Kernel version: 3.2.51
 * Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__
 * Kernel extra patches: grsecurity patch
 * Kernel was built: 2 times.
 * Build tool: using mempo script.
 * Computer: built on same computer each time.
 * Directory: built in same directory path each time.
 * Fakedate: yes, using faketime 2013-10-19 12:58:00
 * Dpkg: not fixed (regular version from Debian 7)
 * System: build on Debian 7.1 amd64, linux kernel 3.2.46; gcc version 4.7.2-1
Authors: members of Mempo project
Kernel version: 3.2.51
Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__
Kernel extra patches: grsecurity patch
Kernel was built: 2 times.
Build tool: using mempo script.
Computer: built on same computer each time.
Directory: built in same directory path each time.
Fakedate: yes, using faketime 2013-10-19 12:58:00
Dpkg: not fixed (regular version from Debian 7)
System: build on Debian 7.1 amd64, linux kernel 3.2.46; gcc version 4.7.2-1
Line 52: Line 52:
}}}}
Line 54: Line 54:
attachment:3.2.51-29.10.2013-compilation-difffiles.txt list of different files
}}}}
 list of different files
<<AttachList(
attachment:3.2.51-29.10.2013-compilation-difffiles.txt)>>

?ReproducibleBuildsKernel

This page describes how to build Debian kernel in an reproducible (verifiable - see [ReproducibleBuilds]) way for security reasons.

As of now (2013-11) this work is:

  • about Linux kernel
  • work in progress - describing the research of this topic

Steps:

  • Step1 configure kernel build to create identical intermittent files: .o etc
  • Step2 configure kernel build to create identical final files: .ko and image
  • Step3 configure kernel build to create identical .deb

See general instructions: [ReproducibleBuilds] how ever they are mainly for step 2,3.

We are trying to create a script that does this deterministic build in a bit more automated way with added:

  • verification of downloaded sources (check against hardcoded in script list of expected checksums of sources; also check PGP signature with hardcoded public key of kernel developers)
  • apply security patches for the [Mempo] subproject
  • grsecurity patch - [grsecurity.net]
  • misc patches if needed (e.g. quick fixes regarding security)

This page should be usable for everyone in Debian, and script we're writing will be later easy to run in pure-Debian mode too.

Script will be published on [https://github.com/mempo/deterministic-kernel] please consider it absolute pre-alpha.

Tests

Here we paste research data.

Test20131029

Authors: members of Mempo project
Kernel version: 3.2.51 
Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__ 
Kernel extra patches: grsecurity patch
Kernel was built: 2 times.
Build tool: using mempo script.
Computer: built on same computer each time.
Directory: built in same directory path each time.
Fakedate: yes, using faketime 2013-10-19 12:58:00
Dpkg: not fixed (regular version from Debian 7)
System: build on Debian 7.1 amd64, linux kernel 3.2.46; gcc version 4.7.2-1
Build date: 2013-10-29
Machine name: (t/wb)

Results:
.o - all identical
.ko - some match, not all (22909 files are the same and 2539 are different)
vmlinuz - different
.deb - different

List of checksums:

  • list of different files

[CategoryKernel]