Differences between revisions 23 and 24
Revision 23 as of 2013-11-26 15:13:08
Size: 2613
Editor: ?Mempo
Comment:
Revision 24 as of 2013-11-26 15:13:33
Size: 2609
Editor: ?Mempo
Comment:
Deletions are marked like this. Additions are marked like this.
Line 64: Line 64:
You can too build kernel deterministic using our tools: https://github.com/Happuri/deterministic-kernel You can build kernel deterministic using our tools: https://github.com/Happuri/deterministic-kernel

?ReproducibleBuildsKernel

This page describes how to build Debian kernel in an reproducible (verifiable - see [ReproducibleBuilds]) way for security reasons.

As of now (2013-11) this work is:

  • about Linux kernel
  • work in progress - describing the research of this topic

Steps:

  • Step1 configure kernel build to create identical intermittent files: .o etc
  • Step2 configure kernel build to create identical final files: .ko and image
  • Step3 configure kernel build to create identical .deb

See general instructions: [ReproducibleBuilds] how ever they are mainly for step 2,3.

We are trying to create a script that does this deterministic build in a bit more automated way with added:

  • verification of downloaded sources (check against hardcoded in script list of expected checksums of sources; also check PGP signature with hardcoded public key of kernel developers)
  • apply security patches for the [Mempo] subproject
  • grsecurity patch - [grsecurity.net]
  • misc patches if needed (e.g. quick fixes regarding security)

This page should be usable for everyone in Debian, and script we're writing will be later easy to run in pure-Debian mode too.

Script will be published on [https://github.com/mempo/deterministic-kernel] please consider it absolute pre-alpha.

Tests

Here we paste research data.

Test20131029

Authors: members of Mempo project
Kernel version: 3.2.51 
Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__ 
Kernel extra patches: grsecurity patch
Kernel was built: 2 times.
Build tool: using mempo script.
Computer: built on same computer each time.
Directory: built in same directory path each time.
Fakedate: yes, using faketime 2013-10-19 12:58:00
Dpkg: not fixed (regular version from Debian 7)
System: build on Debian 7.1 amd64, gcc version 4.7.2-1, linux kernel 3.2.46; 
Build date: 2013-10-29
Machine name: (t/wb)

Results:
.o - all identical
.ko - some match, not all (22909 files are the same and 2539 are different)
vmlinuz - different
.deb - different

List of checksums:

Expamle different .ko files:

We would like to invite You to work with out on this topic! Contact us at: #mempo at irc.freenode.org

You can build kernel deterministic using our tools: https://github.com/Happuri/deterministic-kernel

[CategoryKernel]