[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Deterministic grub-mkimage
From: |
Andrew Clausen |
Subject: |
Deterministic grub-mkimage |
Date: |
Sun, 28 Dec 2014 11:24:37 +0000 |
Hi all,
Deterministic software builds are helpful for spotting and preventing
malicious modifications such as inserting back-doors.
At the moment, grub builds are mostly deterministic. However,
grub-mkimage does not deterministically build EFI binaries. This is
because the PE/COFF headers include timestamps. This is a widespread
problem in the Windows world -- see for example a discussion of
deterministically building TrueCrypt. [1]
One solution would be to:
* build deterministically by default by using a constant timestamp, and
* add a --with-timestamps option (disabled by default), which would
enable honest timestamps.
What do you think? Are you accepting patches?
Cheers,
Andrew
[1] https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/
- Deterministic grub-mkimage,
Andrew Clausen <=