When systemd’s PID 1 detects it runs in a virtualized environment providing the virtio-rng interface it will load the necessary kernel modules to make use of it during earliest boot, if possible much earlier than regular kernel module loading done by systemd-udevd.service. This should ensure that in VM environments the entropy pool is quickly filled, even before systemd invokes the first service process as long as the VM environment provides virtualized RNG hardware (and VM environments really should!).
We should consider setting the efi=disable_early_pci_dma boot parameter and CONFIG_EFI_DISABLE_PCI_DMA=y kconfig option for better protection against DMA attacks although these are far ahead of our kernel version.
Good stuff. Please keep it coming. I yet have to read this but one thing…
These could be added now. The existing kernel would probably just ignore these? And when time comes, we haven’t forgotten about this and it’s already check mark done.
The only things we don’t have are things we’re already discussing (kernel.sysrq=0, kernel.deny_new_usb=1, modules.sig_enforce=1) or things not in our kernel version (init_on_free=1 init_on_alloc=1, lockdown=confidentiality).
Obscurix has other non-kernel-related hardening Whonix doesn’t have like bubblewrap sandboxing though.
Obscurix is my personal project btw. It’s at a very early stage and I’m too busy with other things to work on it more.
Merged. Could you please expand the description a bit? Add these links
from the pull request? Add a few more keywords such as kernel, console
and what this might break? This is if ever any bug is reported, Whonix
source code can be grepped and this would give a hint.
Seems one of the lesser known hardening options. By performing web
searches other websites come up who are already similarly thorough at
flipping all the security hardening knobs.
The presentation on the vivid bugs discussed a while ago.
security-misc blacklists the module, hardened-kernel doesn’t include vivid or userfaultfd() (which was used to exploit these bugs) at all, and both restrict the kernel logs to root which mitigates this on multiple layers (although vivid wasn’t removed until these bugs were disclosed).
I’m not aware of it ever being mentioned as adding extra attack surface or aiding spectre/meltdown. Have you seen anything? If yes I can try harder to search for it.