?ReproducibleBuildsKernel
This page describes how to build Debian kernel in an reproducible (verifiable - see [ReproducibleBuilds]) way for security reasons.
As of now (2013-11) this work is:
- about Linux kernel
- work in progress - describing the research of this topic
Steps:
- Step1 configure kernel build to create identical intermittent files: .o etc
- Step2 configure kernel build to create identical final files: .ko and image
- Step3 configure kernel build to create identical .deb
See general instructions: [ReproducibleBuilds] how ever they are mainly for step 2,3.
We are trying to create a script that does this deterministic build in a bit more automated way with added:
- verification of downloaded sources (check against hardcoded in script list of expected checksums of sources; also check PGP signature with hardcoded public key of kernel developers)
- apply security patches for the [Mempo] subproject
- grsecurity patch - [grsecurity.net]
- misc patches if needed (e.g. quick fixes regarding security)
This page should be usable for everyone in Debian, and script we're writing will be later easy to run in pure-Debian mode too.
Script will be published on [https://github.com/mempo/deterministic-kernel] please consider it absolute pre-alpha.
Tests
Here we paste research data.
Test20131029
Authors: members of Mempo project Kernel version: 3.2.51 Kernel deterministic patches: custom patch to remove TIME and DATE Kernel extra patches: grsecurity patch Kernel was built: 2 times. Build tool: using mempo script. Computer: built on same computer each time. Directory: built in same directory path each time. Fakedate: yes, using fakedate Dpkg: not fixed (regular version from Debian 7) System: build on Debian 7.1 amd64, gcc version(???). Build date: 2013-10-29 Machine name: (t/wb)
Results: .o - all identical .ko - some match, not all (how many?) vmlinuz - ??? .deb - different
List of checksums: ...???...