Error with hardened-kernel script in Kicksecure Debian

Support
9

I installed all 3 packages per your order and rebooted. I attempted to install LKRG to secure the OS even more as follows:

sudo apt-get install lkrg linux-headers-amd64
Reading package lists… Done
Building dependency tree
Reading state information… Done
linux-headers-amd64 is already the newest version (4.19+105+deb10u8).
lkrg is already the newest version (0:0.8.1.0-1).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
2 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up lkrg-dkms (0.8.1.0-1) …
Removing old lkrg-0.8.1 DKMS files…

Deleting module version: 0.8.1
completely from the DKMS tree.

Done.
Loading new lkrg-0.8.1 DKMS files…
Building for 4.19.122
Building initial module for 4.19.122
Error! Bad return status for module build on kernel: 4.19.122 (x86_64)
Consult /var/lib/dkms/lkrg/0.8.1/build/make.log for more information.
dpkg: error processing package lkrg-dkms (–configure):
installed lkrg-dkms package post-installation script subprocess returned error exit status 10
dpkg: dependency problems prevent configuration of lkrg:
lkrg depends on lkrg-dkms; however:
Package lkrg-dkms is not configured yet.

dpkg: error processing package lkrg (–configure):
dependency problems - leaving unconfigured
Errors were encountered while processing:
lkrg-dkms
lkrg
E: Sub-process /usr/bin/dpkg returned an error code (1)

Then I looked at the log to see the errors:

sudo geany /var/lib/dkms/lkrg/0.8.1/build/make.log

Results in:

DKMS make.log for lkrg-0.8.1 for kernel 4.19.122 (x86_64)
Mon 14 Dec 2020 02:56:16 AM UTC
make -C /lib/modules/4.19.122/build M=/var/lib/dkms/lkrg/0.8.1/build modules
make[1]: Entering directory ‘/usr/src/linux-headers-4.19.122’
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/ksyms/p_resolve_ksym.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/hashing/p_lkrg_fast_hash.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/comm_channel/p_comm_channel.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/integrity_timer/p_integrity_timer.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/kmod/p_kmod.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/CPU.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_x86_metadata.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_switch_idt/p_switch_idt.o
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/ksyms/p_resolve_ksym.c:19:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/ksyms/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/comm_channel/p_comm_channel.c:18:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/comm_channel/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/hashing/p_lkrg_fast_hash.c:22:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/hashing/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/integrity_timer/p_integrity_timer.c:18:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/integrity_timer/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/kmod/p_kmod.c:22:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/kmod/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/CPU.c:44:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/database/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/hashing/p_lkrg_fast_hash.o] Error 1
make[2]: *** Waiting for unfinished jobs…
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/ksyms/p_resolve_ksym.o] Error 1
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_switch_idt/p_switch_idt.c:24:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_switch_idt/…/…/…/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_x86_metadata.c:29:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/…/…/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/CPU.o] Error 1
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/kmod/p_kmod.o] Error 1
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/comm_channel/p_comm_channel.o] Error 1
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_switch_idt/p_switch_idt.o] Error 1
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_x86_metadata.o] Error 1
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/integrity_timer/p_integrity_timer.o] Error 1
make[1]: *** [Makefile:1525: module/var/lib/dkms/lkrg/0.8.1/build] Error 2
make[1]: Leaving directory ‘/usr/src/linux-headers-4.19.122’
make: *** [Makefile:98: all] Error 2

The main error seems to be: #error “LKRG requires CONFIG_KPROBES”

How may I fix this?

Would this Debian Kicksecure OS be proper with the hardened kernel without LKRG?

Update - Doing some research I found this pertaining to KPROBES - GitHub - lttng/lttng-modules: This repo is a mirror of the official lttng-modules git found at git://git.lttng.org/lttng-modules.git. The LTTng modules provide Linux kernel tracing capability to the LTTng 2.x tracer toolset. - Is this what needs to be done with the custom kernel package?

I noticed your config file displayed CONFIG_KPROBES is not set in which I changed it to CONFIG_KPROBES=y and I’m recompling the kernel. Was this the proper course of action?

Thanks,
Sudobash

Another Update - That semi worked I think with results below:

sudo apt-get install lkrg linux-headers-amd64
Reading package lists… Done
Building dependency tree
Reading state information… Done
linux-headers-amd64 is already the newest version (4.19+105+deb10u8).
lkrg is already the newest version (0:0.8.1.0-1).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
2 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up lkrg-dkms (0.8.1.0-1) …
Removing old lkrg-0.8.1 DKMS files…

Deleting module version: 0.8.1
completely from the DKMS tree.

Done.
Loading new lkrg-0.8.1 DKMS files…
Building for 4.19.122
Building initial module for 4.19.122
Done.

p_lkrg.ko:
Running module version sanity check.

  • Original module
    • No original module exists within this kernel
  • Installation
    • Installing to /lib/modules/4.19.122/updates/dkms/

depmod…

DKMS: install completed.
Created symlink /etc/systemd/system/multi-user.target.wants/lkrg-dkms.service → /lib/systemd/system/lkrg-dkms.service.
Job for lkrg-dkms.service failed because the control process exited with error code.
See “systemctl status lkrg-dkms.service” and “journalctl -xe” for details.
Setting up lkrg (0.8.1.0-1) …

THEN

sudo apt-get reinstall lkrg linux-headers-amd64
Reading package lists… Done
Building dependency tree
Reading state information… Done
0 upgraded, 0 newly installed, 2 reinstalled, 0 to remove and 1 not upgraded.
Need to get 0 B/13.9 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database … 121387 files and directories currently installed.)
Preparing to unpack …/linux-headers-amd64_4.19+105+deb10u8_amd64.deb …
Unpacking linux-headers-amd64 (4.19+105+deb10u8) over (4.19+105+deb10u8) …
Preparing to unpack …/lkrg_0%3a0.8.1.0-1_amd64.deb …
Unpacking lkrg (0.8.1.0-1) over (0.8.1.0-1) …
Setting up linux-headers-amd64 (4.19+105+deb10u8) …
Setting up lkrg (0.8.1.0-1) …

Checking to see if LKRG is running:

sudo journalctl -b | grep lkrg
Dec 14 05:41:33 os lkrg-loader[706]: INFO: Running 'modprobe p_lkrg ’ …
Dec 14 05:41:33 os kernel: p_lkrg: loading out-of-tree module taints kernel.
Dec 14 05:41:33 os kernel: p_lkrg: module verification failed: signature and/or required key missing - tainting kernel
Dec 14 05:41:33 os kernel: [p_lkrg] Loading LKRG…
Dec 14 05:41:33 os kernel: [p_lkrg] System does NOT support SMEP. LKRG can’t enforce SMEP validation :frowning:
Dec 14 05:41:33 os kernel: [p_lkrg] System does NOT support SMAP. LKRG can’t enforce SMAP validation :frowning:
Dec 14 05:41:34 os kernel: [p_lkrg] 6/23 UMH paths are allowed…
Dec 14 05:41:34 os kernel: [p_lkrg] [kretprobe] register_kretprobe() for <ovl_create_or_link> failed! [err=-22]
Dec 14 05:41:34 os kernel: [p_lkrg] Trying to find ISRA / CONSTPROP name for <ovl_create_or_link>
Dec 14 05:41:34 os kernel: [p_lkrg] [kretprobe] register_kretprobe() for ovl_create_or_link failed and ISRA / CONSTPROP version not found!
Dec 14 05:41:34 os kernel: [p_lkrg] Can’t hook ‘ovl_create_or_link’ function. This is expected if you are not using OverlayFS.
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:8 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:9 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:10 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:11 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:12 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:13 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:14 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:15 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] LKRG initialized successfully!
Dec 14 05:41:34 os lkrg-loader[706]: INFO: Done running modprobe, ok.

sudo sysctl -a | grep lkrg
lkrg.block_modules = 0
lkrg.heartbeat = 0
lkrg.hide = 0
lkrg.interval = 15
lkrg.kint_enforce = 2
lkrg.kint_validate = 3
lkrg.log_level = 3
lkrg.msr_validate = 0
lkrg.pcfi_enforce = 1
lkrg.pcfi_validate = 2
lkrg.pint_enforce = 1
lkrg.pint_validate = 2
lkrg.profile_enforce = 2
lkrg.profile_validate = 3
lkrg.smap_enforce = 0
lkrg.smap_validate = 0
lkrg.smep_enforce = 0
lkrg.smep_validate = 0
lkrg.trigger = 0
lkrg.umh_enforce = 1
lkrg.umh_validate = 1

1 Like