[RFD] match kernel and modules at run time

[Andrei Borzenkov]

Distributions are usually using some distro-specific means to record
bootloader location for future updates (like debconf,
/etc/default/grub_installdevice or similar). Unfortunately those means
are not widely known; but it is very easy to hit Internet post that
recommends "grub-install /dev/sda" as ultimate grub repair tool.

The problem is that this will work ... until next grub update. Then -
depending on bootloader location recorded in distro configuration
database - core.img used for booting starts to diverge from modules in
/boot/grub. With unpredictable effects.

Last confirmed example is here:

https://forums.opensuse.org/showthread.php/520709-Opensuse-13-2-Howto-set-password-for-single-user-mode-in-grub2?p=2797852#post2797852

Anyone thinks this is a problem (I obviously do)?

I see several possible steps to mitigate it.

1. Define grub install locations in /etc/default/grub and use them by
grub-install. This way distributions can converge on using it, which
makes grub-install more safe.

Cons - users will still hit Internet articles that recommend explicit
device names years from now.

2. Use some form of checksum and verify it during module load. Similar
to what Linux kernel does.

Pros - guarantees that module built for different kernel will fail to
load, making it obvious instead of crashing in unpredictable way later.

Cons - likely increases core size; and platform most susceptible to this
issue is also one most sensitive to core size.

3. Variant of 3 - generate single random number on every build.

Cons - reproducible builds; will block module loading even if they are
binary compatible.