On 2016-03-02 08:43, Dato Simó wrote:
While sill a long way Reproducible builds might pose a problem for a
Grsec
kernel when CONFIG_GRKERNSEC_RANDSTRUCT is set to 'y' because this
feature
randomizes kernel symbols and structures during compilation and is not
meant
to be the same. For a publicly distributed kernel binary this feature
does
not provide any protection anyhow because these addresses are already
known.
This feature will need to be disabled for full compatibility with
reproducible build systems.
Just FYI, the @grsecurity account tweeted the following today:
Contrary to: https://bugs.debian.org/816439, RANDSTRUCT is
actually compatible with reproducible builds, just need to
keep randomize_layout_seed.h.
https://twitter.com/grsecurity/status/704869584218685440
No idea how relevant this is for reproducible builds in Debian. Just
relaying it.
Ciao,
-d
Spender's solution is better than completely disabling randkstruct
because it forces adversaries to maintain exploit versions against every
kernel version released - forcing them to expend more resources.