|
From: | Jonathan McCune |
Subject: | Re: Deterministic grub-mkimage |
Date: | Sun, 28 Dec 2014 22:29:50 -0800 |
Hi all,
Deterministic software builds are helpful for spotting and preventing
malicious modifications such as inserting back-doors.
At the moment, grub builds are mostly deterministic. However,
grub-mkimage does not deterministically build EFI binaries. This is
because the PE/COFF headers include timestamps. This is a widespread
problem in the Windows world -- see for example a discussion of
deterministically building TrueCrypt. [1]
One solution would be to:
* build deterministically by default by using a constant timestamp, and
* add a --with-timestamps option (disabled by default), which would
enable honest timestamps.
What do you think? Are you accepting patches?
Cheers,
Andrew
[1] https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/
_______________________________________________
Grub-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/grub-devel
[Prev in Thread] | Current Thread | [Next in Thread] |