Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1029218: dkms should perform reproducible build of modules
22 views
Skip to first unread message
Daniel Richard G.
Jan 19, 2023, 4:00:03 PM1/19/23
to
Package: dkms
Version: 3.0.10-1
Severity: wishlist
If I install the same DKMS package on two identically-configured Debian
sid systems, the resulting kernel modules are not bit-for-bit identical.
The integrity of kernel modules is critical to a secure system, and
ensuring that their builds are reproducible will help make that quality
significantly easier to verify.
--Daniel
--
Daniel Richard G. || sk...@iSKUNK.ORG
My ASCII-art .sig got a bad case of Times New Roman.
Version: 3.0.10-1
Severity: wishlist
If I install the same DKMS package on two identically-configured Debian
sid systems, the resulting kernel modules are not bit-for-bit identical.
The integrity of kernel modules is critical to a secure system, and
ensuring that their builds are reproducible will help make that quality
significantly easier to verify.
--Daniel
--
Daniel Richard G. || sk...@iSKUNK.ORG
My ASCII-art .sig got a bad case of Times New Roman.
Andreas Beckmann
Mar 31, 2023, 9:50:04 AM3/31/23
to
Control: tag -1 moreinfo
On Thu, 19 Jan 2023 15:51:25 -0500 "Daniel Richard G."
<sk...@iSKUNK.ORG> wrote:
> If I install the same DKMS package on two identically-configured Debian
> sid systems, the resulting kernel modules are not bit-for-bit identical.
Do you have an example how the kernel modules differ? diffoscope might
help ...
Does this happen with all or only with certain dkms modules?
Is the build reproducible on the same host, e.g. does the sequence
dkms build
dkms unbuild
dkms build
produce binary identical modules?
Andreas
On Thu, 19 Jan 2023 15:51:25 -0500 "Daniel Richard G."
<sk...@iSKUNK.ORG> wrote:
> If I install the same DKMS package on two identically-configured Debian
> sid systems, the resulting kernel modules are not bit-for-bit identical.
help ...
Does this happen with all or only with certain dkms modules?
Is the build reproducible on the same host, e.g. does the sequence
dkms build
dkms unbuild
dkms build
produce binary identical modules?
Andreas
Daniel Richard G.
Apr 2, 2023, 1:40:03 AM4/2/23
to
Hi Andreas,
On Fri, 2023 Mar 31 09:22-04:00, Andreas Beckmann wrote:
>
> Do you have an example how the kernel modules differ? diffoscope might
> help ...
> Does this happen with all or only with certain dkms modules?
The only DKMS modules I am using currently are the ones associated with
virtualbox, so I can't offer a comparison. Here is the output from
diffoscope, however, for one of the modules:
$ diffoscope test-debian-sid-amd64-[12]/usr/lib/modules/6.1.0-7-amd64/updates/dkms
--- test-debian-sid-amd64-1/usr/lib/modules/6.1.0-7-amd64/updates/dkms
+++ test-debian-sid-amd64-2/usr/lib/modules/6.1.0-7-amd64/updates/dkms
│ --- test-debian-sid-amd64-1/usr/lib/modules/6.1.0-7-amd64/updates/dkms/vboxdrv.ko
├── +++ test-debian-sid-amd64-2/usr/lib/modules/6.1.0-7-amd64/updates/dkms/vboxdrv.ko
│┄ Format-specific differences are supported for ELF binaries but no file-specific differences were detected; falling back to a binary diff. file(1) reports: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=5ed23a6ee7417643717766d7b5307da88409fe5a, not stripped
│┄ File has been modified after NT_GNU_BUILD_ID has been applied.
│ @@ -55695,29 +55695,29 @@
│ 000d98e0: 0000 0000 0000 0000 3082 0199 0609 2a86 ........0.....*.
│ 000d98f0: 4886 f70d 0107 02a0 8201 8a30 8201 8602 H..........0....
│ 000d9900: 0101 310d 300b 0609 6086 4801 6503 0402 ..1.0...`.H.e...
│ 000d9910: 0130 0b06 092a 8648 86f7 0d01 0701 3182 .0...*.H......1.
│ 000d9920: 0163 3082 015f 0201 0130 3a30 2231 2030 .c0.._...0:0"1 0
│ 000d9930: 1e06 0355 0403 0c17 444b 4d53 206d 6f64 ...U....DKMS mod
│ 000d9940: 756c 6520 7369 676e 696e 6720 6b65 7902 ule signing key.
│ -000d9950: 1420 b794 fc24 18fe 9e24 595e b7f3 026d . ...$...$Y^...m
│ -000d9960: 4469 13b4 5230 0b06 0960 8648 0165 0304 Di..R0...`.H.e..
│ +000d9950: 1412 4e86 5c0c d923 77b1 7c57 6b90 8c67 ..N.\..#w.|Wk..g
│ +000d9960: 9f64 a4e0 9930 0b06 0960 8648 0165 0304 .d...0...`.H.e..
│ 000d9970: 0201 300d 0609 2a86 4886 f70d 0101 0105 ..0...*.H.......
│ -000d9980: 0004 8201 0057 6678 aee0 2003 cfc3 6f00 .....Wfx.. ...o.
│ -000d9990: 29d9 f1ee 301a 35a9 2fb4 d127 ef5f db28 )...0.5./..'._.(
│ -000d99a0: 6902 15cf 725d 04c4 69c6 58e2 e1e8 2643 i...r]..i.X...&C
│ -000d99b0: 592b 91bd 9fcd 2966 8460 4797 9069 a5cd Y+....)f.`G..i..
│ -000d99c0: bba6 3cf4 9e0b 1c7f 9277 121e ed08 156d ..<......w.....m
│ -000d99d0: c180 4ca4 d84f 6884 ecdd 5fe9 0939 b681 ..L..Oh..._..9..
│ -000d99e0: 2b6f 3e32 d63e 4231 2b2e 1a96 5732 0ad7 +o>2.>B1+...W2..
│ -000d99f0: cb62 7a5b 4bf6 491a c197 0833 d61a 7bd4 .bz[K.I....3..{.
│ -000d9a00: 59f3 7c2b c834 ad42 fc19 f4c3 6de9 c20b Y.|+.4.B....m...
│ -000d9a10: 54d1 78de 9034 ba24 da45 9346 74ba efb7 T.x..4.$.E.Ft...
│ -000d9a20: 4e67 4743 ee19 dd06 8722 d8cd 3c99 ad27 NgGC....."..<..'
│ -000d9a30: ca63 067b 1310 5c52 3f76 f860 b625 6a54 .c.{..\R?v.`.%jT
│ -000d9a40: a40a 3142 c889 b921 e19b 4b92 9725 248e ..1B...!..K..%$.
│ -000d9a50: ec81 7aad 86d4 28d6 e832 3f0d d09d 3ee0 ..z...(..2?...>.
│ -000d9a60: c88d dbce 32ac 7d6d 8047 5c39 ab3f 9289 ....2.}m.G\9.?..
│ -000d9a70: 424c bb85 293c 4cbf 2ca6 7006 a0d5 2b7f BL..)<L.,.p...+.
│ -000d9a80: ae05 4760 fb00 0002 0000 0000 0000 0001 ..G`............
│ +000d9980: 0004 8201 0063 6217 3b4b 51c1 25c4 49e5 .....cb.;KQ.%.I.
│ +000d9990: c3d8 0800 2a72 f0b1 c213 b8c1 1a22 c6d4 ....*r......."..
│ +000d99a0: 7ce3 9cf9 8db6 543a 7251 1f52 ae92 bf3c |.....T:rQ.R...<
│ +000d99b0: 303c bf29 e79a b704 0892 c410 cca3 ee42 0<.)...........B
│ +000d99c0: cd3c dee6 2776 1915 b829 c0c6 5e62 40ea .<..'v...)..^b@.
│ +000d99d0: 3481 78bb b076 c757 58b7 03a4 6abf cef3 4.x..v.WX...j...
│ +000d99e0: 4d9b 5cdf 5b5b e1e5 8629 6600 b914 3701 M.\.[[...)f...7.
│ +000d99f0: a451 7b57 8dc7 136c ddb7 b5b9 6f23 27db .Q{W...l....o#'.
│ +000d9a00: de4f 46a3 11b3 d80b 11f3 d3cc 3420 e1c6 .OF.........4 ..
│ +000d9a10: 2d00 1109 b58b 0ff0 10c7 c7ae 12a9 32be -.............2.
│ +000d9a20: c5c0 7768 8c47 ad30 e1f4 07f9 0189 574e ..wh.G.0......WN
│ +000d9a30: 27f1 e3ef b4f5 8ae4 3d16 787d 7ed9 08e4 '.......=.x}~...
│ +000d9a40: 9339 993e af12 f90e 28c0 b42b b043 6b8c .9.>....(..+.Ck.
│ +000d9a50: 9e80 c7ac 8e83 7b8b de36 6624 67fe 7a40 ......{..6f$g.z@
│ +000d9a60: 77cf bf6d 6220 2cb6 e42a 7dff eceb 3102 w..mb ,..*}...1.
│ +000d9a70: 7265 3b0b 28d3 f8c6 53af 6b09 57e5 e42e re;.(...S.k.W...
│ +000d9a80: 7beb 1fec 4600 0002 0000 0000 0000 0001 {...F...........
│ 000d9a90: 9d7e 4d6f 6475 6c65 2073 6967 6e61 7475 .~Module signatu
│ 000d9aa0: 7265 2061 7070 656e 6465 647e 0a re appended~.
Is a unique signature being added to the modules? I noticed that
/var/lib/dkms/mok.{key,pub} differ between the two systems.
(No secure-boot configuration has been performed on these systems;
everything was debootstrap'ed and installed from scratch in chroots)
> Is the build reproducible on the same host, e.g. does the sequence
> dkms build
> dkms unbuild
> dkms build
> produce binary identical modules?
I had to do "dkms install ..." / "dkms unbuild ...", but yes, the
resulting modules are identical.
On Fri, 2023 Mar 31 09:22-04:00, Andreas Beckmann wrote:
>
> Do you have an example how the kernel modules differ? diffoscope might
> help ...
> Does this happen with all or only with certain dkms modules?
virtualbox, so I can't offer a comparison. Here is the output from
diffoscope, however, for one of the modules:
$ diffoscope test-debian-sid-amd64-[12]/usr/lib/modules/6.1.0-7-amd64/updates/dkms
--- test-debian-sid-amd64-1/usr/lib/modules/6.1.0-7-amd64/updates/dkms
+++ test-debian-sid-amd64-2/usr/lib/modules/6.1.0-7-amd64/updates/dkms
│ --- test-debian-sid-amd64-1/usr/lib/modules/6.1.0-7-amd64/updates/dkms/vboxdrv.ko
├── +++ test-debian-sid-amd64-2/usr/lib/modules/6.1.0-7-amd64/updates/dkms/vboxdrv.ko
│┄ Format-specific differences are supported for ELF binaries but no file-specific differences were detected; falling back to a binary diff. file(1) reports: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=5ed23a6ee7417643717766d7b5307da88409fe5a, not stripped
│┄ File has been modified after NT_GNU_BUILD_ID has been applied.
│ @@ -55695,29 +55695,29 @@
│ 000d98e0: 0000 0000 0000 0000 3082 0199 0609 2a86 ........0.....*.
│ 000d98f0: 4886 f70d 0107 02a0 8201 8a30 8201 8602 H..........0....
│ 000d9900: 0101 310d 300b 0609 6086 4801 6503 0402 ..1.0...`.H.e...
│ 000d9910: 0130 0b06 092a 8648 86f7 0d01 0701 3182 .0...*.H......1.
│ 000d9920: 0163 3082 015f 0201 0130 3a30 2231 2030 .c0.._...0:0"1 0
│ 000d9930: 1e06 0355 0403 0c17 444b 4d53 206d 6f64 ...U....DKMS mod
│ 000d9940: 756c 6520 7369 676e 696e 6720 6b65 7902 ule signing key.
│ -000d9950: 1420 b794 fc24 18fe 9e24 595e b7f3 026d . ...$...$Y^...m
│ -000d9960: 4469 13b4 5230 0b06 0960 8648 0165 0304 Di..R0...`.H.e..
│ +000d9950: 1412 4e86 5c0c d923 77b1 7c57 6b90 8c67 ..N.\..#w.|Wk..g
│ +000d9960: 9f64 a4e0 9930 0b06 0960 8648 0165 0304 .d...0...`.H.e..
│ 000d9970: 0201 300d 0609 2a86 4886 f70d 0101 0105 ..0...*.H.......
│ -000d9980: 0004 8201 0057 6678 aee0 2003 cfc3 6f00 .....Wfx.. ...o.
│ -000d9990: 29d9 f1ee 301a 35a9 2fb4 d127 ef5f db28 )...0.5./..'._.(
│ -000d99a0: 6902 15cf 725d 04c4 69c6 58e2 e1e8 2643 i...r]..i.X...&C
│ -000d99b0: 592b 91bd 9fcd 2966 8460 4797 9069 a5cd Y+....)f.`G..i..
│ -000d99c0: bba6 3cf4 9e0b 1c7f 9277 121e ed08 156d ..<......w.....m
│ -000d99d0: c180 4ca4 d84f 6884 ecdd 5fe9 0939 b681 ..L..Oh..._..9..
│ -000d99e0: 2b6f 3e32 d63e 4231 2b2e 1a96 5732 0ad7 +o>2.>B1+...W2..
│ -000d99f0: cb62 7a5b 4bf6 491a c197 0833 d61a 7bd4 .bz[K.I....3..{.
│ -000d9a00: 59f3 7c2b c834 ad42 fc19 f4c3 6de9 c20b Y.|+.4.B....m...
│ -000d9a10: 54d1 78de 9034 ba24 da45 9346 74ba efb7 T.x..4.$.E.Ft...
│ -000d9a20: 4e67 4743 ee19 dd06 8722 d8cd 3c99 ad27 NgGC....."..<..'
│ -000d9a30: ca63 067b 1310 5c52 3f76 f860 b625 6a54 .c.{..\R?v.`.%jT
│ -000d9a40: a40a 3142 c889 b921 e19b 4b92 9725 248e ..1B...!..K..%$.
│ -000d9a50: ec81 7aad 86d4 28d6 e832 3f0d d09d 3ee0 ..z...(..2?...>.
│ -000d9a60: c88d dbce 32ac 7d6d 8047 5c39 ab3f 9289 ....2.}m.G\9.?..
│ -000d9a70: 424c bb85 293c 4cbf 2ca6 7006 a0d5 2b7f BL..)<L.,.p...+.
│ -000d9a80: ae05 4760 fb00 0002 0000 0000 0000 0001 ..G`............
│ +000d9980: 0004 8201 0063 6217 3b4b 51c1 25c4 49e5 .....cb.;KQ.%.I.
│ +000d9990: c3d8 0800 2a72 f0b1 c213 b8c1 1a22 c6d4 ....*r......."..
│ +000d99a0: 7ce3 9cf9 8db6 543a 7251 1f52 ae92 bf3c |.....T:rQ.R...<
│ +000d99b0: 303c bf29 e79a b704 0892 c410 cca3 ee42 0<.)...........B
│ +000d99c0: cd3c dee6 2776 1915 b829 c0c6 5e62 40ea .<..'v...)..^b@.
│ +000d99d0: 3481 78bb b076 c757 58b7 03a4 6abf cef3 4.x..v.WX...j...
│ +000d99e0: 4d9b 5cdf 5b5b e1e5 8629 6600 b914 3701 M.\.[[...)f...7.
│ +000d99f0: a451 7b57 8dc7 136c ddb7 b5b9 6f23 27db .Q{W...l....o#'.
│ +000d9a00: de4f 46a3 11b3 d80b 11f3 d3cc 3420 e1c6 .OF.........4 ..
│ +000d9a10: 2d00 1109 b58b 0ff0 10c7 c7ae 12a9 32be -.............2.
│ +000d9a20: c5c0 7768 8c47 ad30 e1f4 07f9 0189 574e ..wh.G.0......WN
│ +000d9a30: 27f1 e3ef b4f5 8ae4 3d16 787d 7ed9 08e4 '.......=.x}~...
│ +000d9a40: 9339 993e af12 f90e 28c0 b42b b043 6b8c .9.>....(..+.Ck.
│ +000d9a50: 9e80 c7ac 8e83 7b8b de36 6624 67fe 7a40 ......{..6f$g.z@
│ +000d9a60: 77cf bf6d 6220 2cb6 e42a 7dff eceb 3102 w..mb ,..*}...1.
│ +000d9a70: 7265 3b0b 28d3 f8c6 53af 6b09 57e5 e42e re;.(...S.k.W...
│ +000d9a80: 7beb 1fec 4600 0002 0000 0000 0000 0001 {...F...........
│ 000d9a90: 9d7e 4d6f 6475 6c65 2073 6967 6e61 7475 .~Module signatu
│ 000d9aa0: 7265 2061 7070 656e 6465 647e 0a re appended~.
Is a unique signature being added to the modules? I noticed that
/var/lib/dkms/mok.{key,pub} differ between the two systems.
(No secure-boot configuration has been performed on these systems;
everything was debootstrap'ed and installed from scratch in chroots)
> Is the build reproducible on the same host, e.g. does the sequence
> dkms build
> dkms unbuild
> dkms build
> produce binary identical modules?
resulting modules are identical.
Andreas Beckmann
Apr 4, 2023, 12:10:05 PM4/4/23
to
Thanks for checking further.
On 02/04/2023 07.31, Daniel Richard G. wrote:
> │┄ Format-specific differences are supported for ELF binaries but no file-specific differences were detected; falling back to a binary diff. file(1) reports: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=5ed23a6ee7417643717766d7b5307da88409fe5a, not stripped
> │┄ File has been modified after NT_GNU_BUILD_ID has been applied.
We should probably file a bug against diffoscope to make it aware of
this file "modification"
> │ @@ -55695,29 +55695,29 @@
> │ 000d98e0: 0000 0000 0000 0000 3082 0199 0609 2a86 ........0.....*.
> │ 000d98f0: 4886 f70d 0107 02a0 8201 8a30 8201 8602 H..........0....
> │ 000d9900: 0101 310d 300b 0609 6086 4801 6503 0402 ..1.0...`.H.e...
> │ 000d9910: 0130 0b06 092a 8648 86f7 0d01 0701 3182 .0...*.H......1.
> │ 000d9920: 0163 3082 015f 0201 0130 3a30 2231 2030 .c0.._...0:0"1 0
> │ 000d9930: 1e06 0355 0403 0c17 444b 4d53 206d 6f64 ...U....DKMS mod
> │ 000d9940: 756c 6520 7369 676e 696e 6720 6b65 7902 ule signing key.
about that difference. We should probably take this to the reproducible
builds people https://wiki.debian.org/ReproducibleBuilds ...
> (No secure-boot configuration has been performed on these systems;
> everything was debootstrap'ed and installed from scratch in chroots)
Andreas
On 02/04/2023 07.31, Daniel Richard G. wrote:
> │┄ Format-specific differences are supported for ELF binaries but no file-specific differences were detected; falling back to a binary diff. file(1) reports: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=5ed23a6ee7417643717766d7b5307da88409fe5a, not stripped
> │┄ File has been modified after NT_GNU_BUILD_ID has been applied.
this file "modification"
> │ @@ -55695,29 +55695,29 @@
> │ 000d98e0: 0000 0000 0000 0000 3082 0199 0609 2a86 ........0.....*.
> │ 000d98f0: 4886 f70d 0107 02a0 8201 8a30 8201 8602 H..........0....
> │ 000d9900: 0101 310d 300b 0609 6086 4801 6503 0402 ..1.0...`.H.e...
> │ 000d9910: 0130 0b06 092a 8648 86f7 0d01 0701 3182 .0...*.H......1.
> │ 000d9920: 0163 3082 015f 0201 0130 3a30 2231 2030 .c0.._...0:0"1 0
> │ 000d9930: 1e06 0355 0403 0c17 444b 4d53 206d 6f64 ...U....DKMS mod
> │ 000d9940: 756c 6520 7369 676e 696e 6720 6b65 7902 ule signing key.
...
> │ 000d9a90: 9d7e 4d6f 6475 6c65 2073 6967 6e61 7475 .~Module signatu
> │ 000d9aa0: 7265 2061 7070 656e 6465 647e 0a re appended~.
>
> Is a unique signature being added to the modules? I noticed that
> /var/lib/dkms/mok.{key,pub} differ between the two systems.
That's probably the reason. Not sure if something could/should be done
> │ 000d9a90: 9d7e 4d6f 6475 6c65 2073 6967 6e61 7475 .~Module signatu
> │ 000d9aa0: 7265 2061 7070 656e 6465 647e 0a re appended~.
>
> Is a unique signature being added to the modules? I noticed that
> /var/lib/dkms/mok.{key,pub} differ between the two systems.
about that difference. We should probably take this to the reproducible
builds people https://wiki.debian.org/ReproducibleBuilds ...
> (No secure-boot configuration has been performed on these systems;
> everything was debootstrap'ed and installed from scratch in chroots)
0 new messages