grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deterministic grub-mkimage

From: Jonathan McCune
Subject: Re: Deterministic grub-mkimage
Date: Sun, 28 Dec 2014 22:29:50 -0800
On Sun, Dec 28, 2014 at 3:24 AM, Andrew Clausen <address@hidden> wrote:
Hi all,

Deterministic software builds are helpful for spotting and preventing
malicious modifications such as inserting back-doors.

Agree.
 
At the moment, grub builds are mostly deterministic.  However,
grub-mkimage does not deterministically build EFI binaries.  This is
because the PE/COFF headers include timestamps.  This is a widespread
problem in the Windows world -- see for example a discussion of
deterministically building TrueCrypt. [1]

One solution would be to:
 * build deterministically by default by using a constant timestamp, and

I think doing this by default would be a poor choice, as most of the time during development it is very useful to easily identify which version / build / experiment / etc is in use.

 * add a --with-timestamps option (disabled by default), which would
enable honest timestamps.

What do you think?  Are you accepting patches?


The availability of a flag to explicitly set a specific timestamp for the purpose of reproducing a build, seems sane to me. I don't think I would enable it by default.

/$0.02
-Jon


 
Cheers,
Andrew

[1] https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/

_______________________________________________
Grub-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/grub-devel

reply via email to
[Prev in Thread] Current Thread [Next in Thread]