Deterministic grub-mkimage

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Deterministic grub-mkimage

From:	Andrew Clausen
Subject:	Deterministic grub-mkimage
Date:	Sun, 28 Dec 2014 11:24:37 +0000

Hi all,

Deterministic software builds are helpful for spotting and preventing
malicious modifications such as inserting back-doors.

At the moment, grub builds are mostly deterministic.  However,
grub-mkimage does not deterministically build EFI binaries.  This is
because the PE/COFF headers include timestamps.  This is a widespread
problem in the Windows world -- see for example a discussion of
deterministically building TrueCrypt. [1]

One solution would be to:
 * build deterministically by default by using a constant timestamp, and
 * add a --with-timestamps option (disabled by default), which would
enable honest timestamps.

What do you think?  Are you accepting patches?

Cheers,
Andrew

[1] https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/

[Prev in Thread]

Current Thread

[Next in Thread]

Deterministic grub-mkimage, Andrew Clausen <=
- Re: Deterministic grub-mkimage, Jonathan McCune, 2014/12/29
  - Re: Deterministic grub-mkimage, Andrew Clausen, 2014/12/29
    - Re: Deterministic grub-mkimage, Jonathan McCune, 2014/12/29

Prev by Date: Re: esp register value after jump to linux
Next by Date: GRUB test environment
Previous by thread: Building GRUB fails with `In function `do_setkey' undefined reference to `fips_mode'`
Next by thread: Re: Deterministic grub-mkimage
Index(es):
- Date
- Thread