[PATCH v4 00/17] module: Introduce hash-based integrity checking
Eric Biggers
ebiggers at kernel.org
Sun Feb 1 20:12:18 UTC 2026
On Sun, Feb 01, 2026 at 05:09:48PM +0000, David Howells wrote:
> Mihai-Drosi Câju <mcaju95 at gmail.com> wrote:
>
> > > The current signature-based module integrity checking has some drawbacks
> > in combination with reproducible builds. Either the module signing key
> > is generated at build time, which makes the build unreproducible, or a
> > static signing key is used, which precludes rebuilds by third parties
> > and makes the whole build and packaging process much more complicated.
>
> There is another issue too: If you have a static private key that you use to
> sign modules (and probably other things), someone will likely give you a GPL
> request to get it.
>
> One advantage of using a transient key every build and deleting it after is
> that no one has the key.
>
> One other thing to remember: security is *meant* to get in the way. That's
> the whole point of it.
>
> However, IANAL.
>
> David
It sounds like hash-based module authentication is just better, then.
If the full set of authentic modules is known at kernel build time, then
signatures are unnecessary to verify their authenticity: a list of
hashes built into the kernel image is perfectly sufficient.
(This patchset actually gets a little fancy and makes it a Merkle tree
root. But it could be simplified to just a list of hashes.)
With that being the case, why is there still effort being put into
adding more features to module signing? I would think efforts should be
focused on hash-based module authentication, i.e. this patchset.
- Eric
More information about the Linux-security-module-archive
mailing list