SameKernel - Deterministic Kernel - allows to build Kernel in verificable way to know if .deb indeed matches the source code of kernel without added backdoors/viruses.

Current status

https://wiki.debian.org/icon?action=AttachFile&do=get&target=ver8.png beta-testing as of 2014-02-10:

News: https://github.com/mempo/deterministic-kernel/commits/master :) and #mempo

Goal

Users should be able to rebuild identical kernel that matches the distributed .deb files, to know that they do not contain a virus added on top of the source code.

Optional Grsecurity

In our SameKernel script, grsecurity is enabled by default;

To disable it, just remove grsecurity line in script's sources.list) and then run the build.

/!\ To fully use Grsecurity kernel you must follow steps in #install!

(Note to editors: please leave this section/anchor even if this topic would be moved)

Releases and Downloads

Version v0.1.25-rc2

Install kernel from SameKernel

Progress

Steps of this project:

See general instructions for all programs: ReproducibleBuilds .

We created a script that does this deterministic build in a bit more automated way with added:

This page should be usable for everyone in Debian, and script we're writing will be later easy to run in pure-Debian mode too.

Build

Build from sources easily - get the software and publish (PGP-signed) cheksums confirmation so that other users can trust the binary *.deb we publish.

/!\ Extra tools that are not-standard-wheezy and are installed globally:

/!\ Extra tools that do not need any non-standard global changes:

Prepare dependencies for Build

As root :

apt-get install faketime time git build-essential libncurses5-dev libncursesw5-dev kernel-package md5deep gcc-4.7-plugin-dev g++ make time automake pkg-config flex

Create user for kernel build

/!\ At this moment, to get the same *.deb kernel files on different machines, build must be ran on the same user!

Create unix user kernelbuild.

Get and build dpkg

We are using Lunar's branch of dpkg: pu/reproducible_builds. We need GNU gettext >= 0.18.2, therefore on wheezy please add:

http://''YOURMIRROR''.debian.org/debian wheezy-backports main

to /etc/apt/sources.list and run:

# aptitude update
# aptitude install -t wheezy-backports gettext autopoint

Please use ?Mempo's script: https://github.com/mempo/mempo-deb/tree/master/pack/dpkg that will fetch, build and install reproducible-dpkg locally (no need to upgrade your system wide dpkg) (it will delete our old directory in home without asking)

cd ~
rm -rf mempo-deb/
git clone https://github.com/mempo/mempo-deb
cd mempo-deb/pack/dpkg
./build-and-install-locally.sh

Run kernel compilation

In home directory run (it will delete our old directory in home without asking)

cd ~
rm -rf deterministic-kernel/ ; git clone https://github.com/mempo/deterministic-kernel.git && cd deterministic-kernel/  && bash run.sh

press ENTER to confirm (e.g. the download) and then kernel should build :)

/!\ (Or better execute this by hand and check sha1sum of git version)

How this works

Following fixes are applied:

Trust chain

For ?Mempo-Kernel: obtain the *.deb from mempo repository, then check checksum of it with trustworthy people who did build *.deb from source and check if it produces same binary as in repository.

So the full chain trust is:

But how do you verify is security@mempo.org is not compromised nor malicious?

In time, we will upgrade the build script to have the final *.deb file identical, then procedure is even faster (just run run.sh and publish sha512 of your *.deb).

?Mempo project might release the *.deb in own repository for easy installation for people that want this.

Ultimately, Debian.org might one day officially include Mempo-kernel in Debian repository (though, even then checksum based verification will be more secure, in case of ftp master key being compromised).

FAQ and Bugs

FAQ and Bugs posts solutions to common questions and problems:

BUG: error unknown option '-' to gzip

error caused by unknown problem, seen by us 3 time so far, please tell us on IRC if you see it too. Please help us debug it if you can, e.g. strace -s 8192 -fff -o strace run.sh and look how is gzip executed, does it get invalid arguments.

BUG: different headers sometimes?

Some programs are included there, and they are not-deterministic, e.g. include BuildId (it also applies to all programs, not just kernels).

Wrong checksum on file (on linux kernel)

probably file was corrupted in the cached download on your hard drive, in ~/Downloads/linux... or in kernel-sources/ where you build SameKernel. Delete this partially download file, and script will re-download. -or- in rare cases it could mean network download error, or actual attack on you (DNS spoof/network takeover - and sending malicious file instead), in such case back up the file and report people you trust / security researchers

Wrong checksum on file (other file, included in SameKernel)
files corrupted on disk, or mistake in our script/sources listing. Contact us
Wrong dpkg version
do as the error message says.
Can not run as root
do as the error message says.
Wrong username
do as the error message says.
Wrong directory
do as the error message says.

Test

Tests - please test this script and report any problems to ?Mempo and on IRC #mempo also add here to wiki in /Test

CategoryKernel