?ReproducibleBuildsKernel
This page describes how to build Debian kernel in an reproducible (verifiable - see [ReproducibleBuilds]) way for security reasons.
As of now (2013-11) this work is:
- about Linux kernel
- work in progress - describing the research of this topic
Steps:
- Step1 configure kernel build to create identical intermittent files: .o etc
- Step2 configure kernel build to create identical final files: .ko [solved] and image
- Step3 configure kernel build to create identical .deb
See general instructions: [ReproducibleBuilds] how ever they are mainly for step 2,3.
We are trying to create a script that does this deterministic build in a bit more automated way with added:
- verification of downloaded sources (check against hardcoded in script list of expected checksums of sources; also check PGP signature with hardcoded public key of kernel developers)
- apply security patches for the [Mempo] subproject
- grsecurity patch - [grsecurity.net]
- misc patches if needed (e.g. quick fixes regarding security)
This page should be usable for everyone in Debian, and script we're writing will be later easy to run in pure-Debian mode too.
Script will be published on [https://github.com/mempo/deterministic-kernel] please consider it absolute pre-alpha.
Tests
Here we paste research data.
== Test20131127 ==
Authors: members of Mempo project Kernel version: 3.2.52 Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__ Kernel extra patches: grsecurity patch Kernel was built: 2 times. Build tool: using mempo script. Computer: built on same computer each time. Directory: built in same directory path each time. Fakedate: yes, using faketime 2013-10-19 12:58:00 Dpkg: not fixed (regular version from Debian 7) System: build on Debian 7.1 amd64, gcc version 4.7.2-1, linux kernel 3.2.46; Build date: 2013-11-27 Machine name: (t/wb) Results: .o - all identical .ko - all inentical vmlinuz - different .deb - different Disabled grsecurity option CONFIG_PAX_LANTENT_ENTROPY makes checksum *.ko files deterministic - these files compiled twice have the same checksums. Now we working
Test20131029
Authors: members of Mempo project Kernel version: 3.2.51 Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__ Kernel extra patches: grsecurity patch Kernel was built: 2 times. Build tool: using mempo script. Computer: built on same computer each time. Directory: built in same directory path each time. Fakedate: yes, using faketime 2013-10-19 12:58:00 Dpkg: not fixed (regular version from Debian 7) System: build on Debian 7.1 amd64, gcc version 4.7.2-1, linux kernel 3.2.46; Build date: 2013-10-29 Machine name: (t/wb) Results: .o - all identical .ko - some match, not all (22909 files are the same and 2539 are different) [SOLVED] vmlinuz - different .deb - different
List of checksums:
different files: 3.2.51-2013.10.29-compilation-difffiles.txt
same files: 3.2.51-2013.10.29-compilation-samefiles.txt
Expamle different .ko files:
Example with differences dissassembled .ko files:
We use to disassemble "objdump -d" command.
We would like to invite You to work with out on this topic! Contact us at: #mempo at irc.freenode.org
Shouldn't this be discussed on #debian-kernel on OFTC?
You can help us! Build kernel deterministic using our tools: https://github.com/Happuri/deterministic-kernel
It's very easy, You must follow this instruction:
Needed packages: apt-get install faketime git build-essential libncurses5-dev libncursesw5-dev kernel-package md5deep gcc-4.7-plugin-dev -y Download tools: git clone git@github.com:Happuri/deterministic-kernel.git Compile: ./run.sh Important: You must run compilation every time in the same path (You can create user for this) e.g. /home/kernel-builder/