[PATCH v5 00/14] module: Introduce hash-based integrity checking

Thomas Weißschuh linux at weissschuh.net
Tue May 5 09:05:04 UTC 2026 

The current signature-based module integrity checking has some drawbacks
in combination with reproducible builds. Either the module signing key
is generated at build time, which makes the build unreproducible, or a
static signing key is used, which precludes rebuilds by third parties
and makes the whole build and packaging process much more complicated.

The goal is to reach bit-for-bit reproducibility. Excluding certain
parts of the build output from the reproducibility analysis would be
error-prone and force each downstream consumer to introduce new tooling.

Introduce a new mechanism to ensure only well-known modules are loaded
by embedding a merkle tree root of all modules built as part of the full
kernel build into vmlinux.

Interest has been proclaimed by Arch Linux, Debian, Proxmox, SUSE, NixOS
and the general reproducible builds community.

Compatibility with IMA modsig is not provided yet. It is still unclear
to me if it should be hooked up transparently without any changes to the
policy or it should require new policy options.

BPF/BTF folks, please take a look at patch 1.

Further improvements:
* Use MODULE_SIG_HASH for configuration
* UAPI for discovery?

To: Nathan Chancellor <nathan at kernel.org>
To: Nicolas Schier <nsc at kernel.org>
To: Arnd Bergmann <arnd at arndb.de>
To: Luis Chamberlain <mcgrof at kernel.org>
To: Petr Pavlu <petr.pavlu at suse.com>
To: Sami Tolvanen <samitolvanen at google.com>
To: Daniel Gomez <da.gomez at samsung.com>
To: Paul Moore <paul at paul-moore.com>
To: James Morris <jmorris at namei.org>
To: Serge E. Hallyn <serge at hallyn.com>
To: Jonathan Corbet <corbet at lwn.net>
To: Madhavan Srinivasan <maddy at linux.ibm.com>
To: Michael Ellerman <mpe at ellerman.id.au>
To: Nicholas Piggin <npiggin at gmail.com>
To: Christophe Leroy <christophe.leroy at csgroup.eu>
To: Naveen N Rao <naveen at kernel.org>
To: Mimi Zohar <zohar at linux.ibm.com>
To: Roberto Sassu <roberto.sassu at huawei.com>
To: Dmitry Kasatkin <dmitry.kasatkin at gmail.com>
To: Eric Snowberg <eric.snowberg at oracle.com>
To: Nicolas Schier <nicolas.schier at linux.dev>
To: Daniel Gomez <da.gomez at kernel.org>
To: Aaron Tomlin <atomlin at atomlin.com>
To: Christophe Leroy (CS GROUP) <chleroy at kernel.org>
To: Nicolas Schier <nsc at kernel.org>
To: Nicolas Bouchinet <nicolas.bouchinet at oss.cyber.gouv.fr>
To: Xiu Jianfeng <xiujianfeng at huawei.com>
Cc: Fabian Grünbichler <f.gruenbichler at proxmox.com>
Cc: Arnout Engelen <arnout at bzzt.net>
Cc: Mattia Rizzolo <mattia at mapreri.org>
Cc: kpcyrd <kpcyrd at archlinux.org>
Cc: Christian Heusel <christian at heusel.eu>
Cc: Câju Mihai-Drosi <mcaju95 at gmail.com>
Cc: Eric Biggers <ebiggers at kernel.org>
Cc: Sebastian Andrzej Siewior <bigeasy at linutronix.de>
Cc: linux-kbuild at vger.kernel.org
Cc: linux-kernel at vger.kernel.org
Cc: linux-arch at vger.kernel.org
Cc: linux-modules at vger.kernel.org
Cc: linux-security-module at vger.kernel.org
Cc: linux-doc at vger.kernel.org
Cc: linuxppc-dev at lists.ozlabs.org
Cc: linux-integrity at vger.kernel.org
Cc: debian-kernel at lists.debian.org
Signed-off-by: Thomas Weißschuh <linux at weissschuh.net>

---
Changes in v5:
- Document tree layout.
- Make scripts/module-merkle-tree more robust.
- Remove all changes to link-vmlinux.sh, use vmlinux.unstripped instead.
- Clean up types and logic in modules-merkle-tree.c.
- Use "auth" over "integrity" naming scheme.
- Reduce the changes to the existing authentication flow.
- Explicitly send the series to BTF folks for review of BTF changes.
- Link to v4: https://patch.msgid.link/20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net

Changes in v4:
- Use as Merkle tree over a linera list of hashes.
- Provide compatibilith with INSTALL_MOD_STRIP
- Rework commit messages.
- Use vmlinux.unstripped over plain "vmlinux".
- Link to v3: https://lore.kernel.org/r/20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net

Changes in v3:
- Rebase on v6.15-rc1
- Use openssl to calculate hash
- Avoid warning if no modules are built
- Simplify module_integrity_check() a bit
- Make incompatibility with INSTALL_MOD_STRIP explicit
- Update docs
- Add IMA cleanups
- Link to v2: https://lore.kernel.org/r/20250120-module-hashes-v2-0-ba1184e27b7f@weissschuh.net

Changes in v2:
- Drop RFC state
- Mention interested parties in cover letter
- Expand Kconfig description
- Add compatibility with CONFIG_MODULE_SIG
- Parallelize module-hashes.sh
- Update Documentation/kbuild/reproducible-builds.rst
- Link to v1: https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net

---
Thomas Weißschuh (14):
      kbuild: generate module BTF based on vmlinux.unstripped
      lockdown: Make the relationship to MODULE_SIG a dependency
      kbuild: rename the strip_relocs command
      module: Drop pointless debugging message
      module: Make mod_verify_sig() static
      module: Switch load_info::len to size_t
      module: Make module authentication usable without MODULE_SIG
      module: Move authentication logic into dedicated new file
      module: Move signature type check out of mod_check_sig()
      module: Prepare for additional module authentication mechanisms
      module: update timestamp of modules.order after modules are built
      module: Introduce hash-based integrity checking
      kbuild: move handling of module stripping to Makefile.lib
      kbuild: make CONFIG_MODULE_HASHES compatible with module stripping

 .gitignore                                   |   2 +
 Documentation/kbuild/reproducible-builds.rst |   5 +-
 Makefile                                     |   7 +-
 crypto/algapi.c                              |   4 +-
 include/asm-generic/vmlinux.lds.h            |  11 +
 include/linux/module.h                       |  18 +-
 include/linux/module_hashes.h                |  29 ++
 include/uapi/linux/module_signature.h        |   1 +
 kernel/module/Kconfig                        |  29 +-
 kernel/module/Makefile                       |   2 +
 kernel/module/auth.c                         | 139 +++++++++
 kernel/module/hashes.c                       |  95 ++++++
 kernel/module/hashes_root.c                  |   6 +
 kernel/module/internal.h                     |  18 +-
 kernel/module/main.c                         |  16 +-
 kernel/module/signing.c                      | 113 +-------
 kernel/module_signature.c                    |   8 +-
 scripts/.gitignore                           |   1 +
 scripts/Makefile                             |   4 +
 scripts/Makefile.lib                         |  32 +++
 scripts/Makefile.modfinal                    |  28 +-
 scripts/Makefile.modinst                     |  44 +--
 scripts/Makefile.vmlinux                     |  40 ++-
 scripts/include/xalloc.h                     |  29 ++
 scripts/link-vmlinux.sh                      |   3 +-
 scripts/modules-merkle-tree.c                | 416 +++++++++++++++++++++++++++
 security/integrity/ima/ima_modsig.c          |   5 +
 security/lockdown/Kconfig                    |   2 +-
 tools/include/uapi/linux/module_signature.h  |   1 +
 29 files changed, 919 insertions(+), 189 deletions(-)
---
base-commit: 585c2e775b12ef45bdf9cef5f679dcb1220e0d65
change-id: 20241225-module-hashes-7a50a7cc2a30

Best regards,
--  
Thomas Weißschuh <linux at weissschuh.net>

More information about the Linux-security-module-archive mailing list