kernel recompilation for better hardening

https://docs.clip-os.org/clipos/kernel.html

These both look interesting. They’re mainly for kernel compile options though.

Is there any way to build Whonix with custom kernel configurations? Or will kernels have to be recompiled to get custom configurations?

2 Likes

No such built-in options in Whonix build script at the time of writing.
(Though kernel package can bet set in build script by command line parameter or build config and there is the build-steps.d drop-in mechanism.)

I think so.

1 Like

Maybe we could ask upstream to implement this or we could set a different kernel package to be used. Something like linux-hardened.

2 Likes

Most hardening (or anything as much as possible) is almost always best pushed upstream in the long run.

2 Likes

I doubt upstream would want to use hardened kernels as the default due to the performance loss. Most users would prefer performance over security.

1 Like

Unlikely a default but I think Debian is open to having people who maintain alternative, security focussed kernels in packages.debian.org. They used to have a linux-grsec kernel package back then.

1 Like

Most of the stuff merged in KSPP does end up being enabled in Debian though not everything. Our goal is to avoid recompiling any major binaries so we can benefit from upstream;s work on reproducible builds. The Debian kernel security team is very enthusiastic and open to suggestions. Dev Ben Hutchings is supportive of safe defaults.

2 Likes

A possible but really hacky way to have a hardened kernel by default would be to modify the build scripts to recompile the kernel after the default one is already installed. This would make the build take much longer but may be worth having a hardened kernel configuration.

1 Like

Debian / Whonix by default does not compile the kernel during
installation. It uses the kernel from packages.debian.org. So there is
nothing to recompile. It would have to be build from source.

madaidan via Whonix Forum:

A possible but really hacky way to have a hardened kernel by default would be to modify the build scripts to recompile the kernel after the default one is already installed.

I don’t think this very technical aspect is a problem currently. What
kernel gets installed is very flexible. It is defined in
build-steps.d/1700_install-packages. Additionally the kernel / headers
to install can already be configured using --kernel kernel-package-name
and --header kernel-package-header-name. If there was a kernel package
inside the /packages directory, it would be build during
build-steps.d/1200_create-debian-packages and be available during
build-steps.d/1700_install-packages. No hack required. Build script
integration is actually the easy part for many things.

The problem is: there is no hardened kernel package. Why is there no
such project? I.e. modified Debian kernel source, pre-build deb package,
perhaps deb repository? Also why not contribute such an alternative
kernel directly to Debian?

2 Likes

Not sure. They probably didn’t see the purpose of a hardened kernel since they had grsec but now grsec is gone. We could make our own kernel package or fork linux-hardened.

That would be a good idea. Maybe we should ask the Debian devs?

1 Like

madaidan via Whonix Forum:

linux-hardened.

Which one? Link?

?

We could make our own kernel package or fork linux-hardened.

I would like to understand a few things first.

What’s the diff between Debian Debian -- Details of package linux-image-amd64 in buster and linux-hardened in descriptive terms? I.e. a possible (good) answer would be for example: “different kernel version + different kernel compile config + no Debian packaging files + additional arch linux packaging files”.

Can we just take their different kernel compile config, then use the Debian kernel source package ( Debian -- Details of source package linux-signed-amd64 in buster [?]), mix it together, rename the kernel package, and build the kernel package (using make deb-pkg by Debian kernel source package)?

[not make deb-pkg by genmkfile]

Or forget about the Debian buster stablized kernel version and use whatever version linux-hardened is using.

What about trust? The diff looks unreviewable. GitHub - anthraxx/linux-hardened: Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening :

This branch is 134332 commits ahead, 4404 commits behind AndroidHardeningArchive:4.14-lts.

If it is by trustworthy people, we wouldn’t review the changes, trust signed git commits (hopefully existing already), then just add the Debian packaging files on top? If that even works?

Maybe we should ask the Debian devs?

Yes, please go ahead asking that. Hard to find existing discussions and I wonder why there haven’t been any after grsecurity was gone.

1 Like

The github repo.

GitHub - anthraxx/linux-hardened: Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening

There’s a different compile config, no Debian packaging files, hardening patches etc. It isn’t just a hardened compile config but actual changes in the code. The kernel version is different but we can use the LTS branch to be more in line with the Debian versions.

We could, but then we’d lose a lot of the hardening patches and changes to the code.

It was originally created by Daniel Micay and is now maintained by one of the Arch Security Team so I’d say it’s pretty trustworthy.

It should work although there may be some problems with using a kernel designed for rolling release distros on a stable one. The LTS kernel should have the least problems though and the best security due to the reduced attack surface (more features are added in stable kernels).

1 Like

Sounds like a good way forward. Could you try please if you get the Debian package build to function?

1 Like

I don’t know a lot about how Debian’s packaging system works so I don’t know where to start.

1 Like

In theory, just copy over the /debian folder of Debian’s kernel package. Then run make deb-pkg and see where it breaks.

1 Like

I cloned the linux-hardened git repo, copied the /debian folder from the linux-sources package and ran make deb-pkg. I got this error.

user@host:~/linux-hardened$ make deb-pkg
***
*** Configuration file ".config" not found!
***
*** Please run some configurator (e.g. "make oldconfig" or
*** "make menuconfig" or "make xconfig").
***
Makefile:655: include/config/auto.conf.cmd: No such file or directory
make: *** [Makefile:664: .config] Error 1
user@host:~/linux-hardened$ 

So I installed some needed packages and ran make menuconfig. I saved and exited. But I’m not sure if this overwrote the linux-hardened config or not. I did get this message

using defaults found in /boot/config-4.19.0-5-amd64

which makes it seem as if it was overwritten.

I then ran make deb-pkg again. I got this error a while after starting

make[4]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'.  Stop.
make[3]: *** [Makefile:1072: certs] Error 2
make[2]: *** [debian/rules:6: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
make[1]: *** [scripts/package/Makefile:75: deb-pkg] Error 2
make: *** [Makefile:1421: deb-pkg] Error 2
user@host:~/linux-hardened$

I don’t know how to fix this.

1 Like

Can you compile a default Debian linux kernel which was received through package sources? Could be a good exercise in preparation. This might point us to the right steps to do it and then we “just” replace the underlying linux source. In theory.

https://www.debian.org/releases/stretch/i386/ch08s06.html.en

https://wiki.debian.org/BuildADebianKernelPackage

https://kernel-team.pages.debian.net/kernel-handbook/

https://debian-handbook.info/browse/stable/sect.kernel-compilation.html

Then also next level of difficulty: compiling kernel from kernel.org instead of Debian source package.

Only last step can be compiling linux-hardened since highest level of difficulty.

1 Like

This is outdated. make-kpkg isn’t used anymore.

This is interesting. It says

Alternatively, you can use the configuration from a Debian-built kernel that you already have installed by copying the /boot/config-* file to .config and then running make oldconfig to only answer new questions.

If you do this, ensure that you modify the configuration to set:

CONFIG_SYSTEM_TRUSTED_KEYS = “”

otherwise the build may fail:

make[4]: *** No rule to make target ‘debian/certs/test-signing-certs.pem’, needed by ‘certs/x509_certificate_list’. Stop.
make[4]: *** Waiting for unfinished jobs…

The build seemed to have copied the configuration from the kernel I already have installed and I didn’t configure any more options so this seems like it’s the cause of the problem above.

1 Like

I’m compiling the kernel now. It’s taking a while but I’m definitely passed the part where I got that error the last time. That seems to have fixed it.

1 Like

The kernel finally compiled. I installed it and when I booted into it, I got a black screen. I tried to access the systemd journal to see what happened but for some reason the logs of past sessions aren’t stored.

Is there something Debian or Whonix does that clears logs?

1 Like