2243
Comment:
|
2227
|
Deletions are marked like this. | Additions are marked like this. |
Line 33: | Line 33: |
* Authors: members of Mempo project * Kernel version: 3.2.51 * Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__ * Kernel extra patches: grsecurity patch * Kernel was built: 2 times. * Build tool: using mempo script. * Computer: built on same computer each time. * Directory: built in same directory path each time. * Fakedate: yes, using faketime 2013-10-19 12:58:00 * Dpkg: not fixed (regular version from Debian 7) * System: build on Debian 7.1 amd64, linux kernel 3.2.46; gcc version 4.7.2-1 |
Authors: members of Mempo project Kernel version: 3.2.51 Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__ Kernel extra patches: grsecurity patch Kernel was built: 2 times. Build tool: using mempo script. Computer: built on same computer each time. Directory: built in same directory path each time. Fakedate: yes, using faketime 2013-10-19 12:58:00 Dpkg: not fixed (regular version from Debian 7) System: build on Debian 7.1 amd64, linux kernel 3.2.46; gcc version 4.7.2-1 |
Line 52: | Line 52: |
}}}} | |
Line 54: | Line 54: |
attachment:3.2.51-29.10.2013-compilation-difffiles.txt list of different files }}}} |
list of different files <<AttachList(attachment:3.2.51-29.10.2013-compilation-difffiles.txt)>> |
?ReproducibleBuildsKernel
This page describes how to build Debian kernel in an reproducible (verifiable - see [ReproducibleBuilds]) way for security reasons.
As of now (2013-11) this work is:
- about Linux kernel
- work in progress - describing the research of this topic
Steps:
- Step1 configure kernel build to create identical intermittent files: .o etc
- Step2 configure kernel build to create identical final files: .ko and image
- Step3 configure kernel build to create identical .deb
See general instructions: [ReproducibleBuilds] how ever they are mainly for step 2,3.
We are trying to create a script that does this deterministic build in a bit more automated way with added:
- verification of downloaded sources (check against hardcoded in script list of expected checksums of sources; also check PGP signature with hardcoded public key of kernel developers)
- apply security patches for the [Mempo] subproject
- grsecurity patch - [grsecurity.net]
- misc patches if needed (e.g. quick fixes regarding security)
This page should be usable for everyone in Debian, and script we're writing will be later easy to run in pure-Debian mode too.
Script will be published on [https://github.com/mempo/deterministic-kernel] please consider it absolute pre-alpha.
Tests
Here we paste research data.
Test20131029
Authors: members of Mempo project Kernel version: 3.2.51 Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__ Kernel extra patches: grsecurity patch Kernel was built: 2 times. Build tool: using mempo script. Computer: built on same computer each time. Directory: built in same directory path each time. Fakedate: yes, using faketime 2013-10-19 12:58:00 Dpkg: not fixed (regular version from Debian 7) System: build on Debian 7.1 amd64, linux kernel 3.2.46; gcc version 4.7.2-1 Build date: 2013-10-29 Machine name: (t/wb) Results: .o - all identical .ko - some match, not all (22909 files are the same and 2539 are different) vmlinuz - different .deb - different
List of checksums:
- list of different files