Awesome. Will rename now as later package rename and migration is a nontrivial, error prone process for users who upgrade.
Patrick_mobile via Whonix Forum:
Awesome. Will rename now as later package rename and migration is a nontrivial, error prone process for users who upgrade.
Initial packaging is done:
madaidan via Whonix Forum:
Should
CONFIG_PROC_PAGE_MONITOR
be disabled?linux/fs/proc/Kconfig at master · torvalds/linux · GitHub
Various /proc files exist to monitor process memory utilization:
/proc/pid/smaps, /proc/pid/clear_refs, /proc/pid/pagemap,
/proc/kpagecount, and /proc/kpageflags. Disabling these
interfaces will reduce the size of the kernel by approximately 4kb.It was called “brain-dead” and a security risk by grsecurty.
It was also used in exploiting rowhammer to gain kernel privileges.
Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges
Better disable read/write access with apparmor-profile-everything instead?
It’s just going to add compile time then.
I think it would be good to include hardened-vm-kernel and apparmor-profile-everything in QubesOS similar to security-misc Package security-misc from Whonix to Qubes · Issue #1885 · QubesOS/qubes-issues · GitHub
Not a lot has happened to security-misc in Qubes outside of Qubes-Whonix. Maybe more realistic to develop Kicksecure and then create a Kicksecure Qubes template. That might meet lower resistance than hardening Qubes Debian template.
Feel free to open any Qubes tickets.
As for outreach hardened-vm-kernel seems useful to contact both linux-hardened and oss-security mailing list.
perf exposes tons of debugging functionality that’s not really used much and should be disabled. It’s been the source of many infoleaks and vulnerabilities. Debian restricts this to root by default but that’s not enough for us.
The problem with disabling it though is that CONFIG_KVM and CONFIG_X86 both select CONFIG_PERF_EVENTS even though it isn’t strictly required. So, we’d need to patch the Kconfig and comment it out.
We can create a /usr/share/hardened-vm-kernel/patches/ directory and modify the build script to apply everything in there e.g.
cat /usr/share/hardened-vm-kernel/patches/* | patch -p1
More info on this:
https://lkml.org/lkml/2016/1/11/587
https://lkml.org/lkml/2016/6/17/696
That doesn’t work. Disabling it causes tons of compile errors. Better to just patch the kernel and make perf error out.
madaidan via Whonix Forum:
We can create a /usr/share/hardened-vm-kernel/patches/ directory and modify the build script to apply everything in there e.g.
Much better to submit any patches to linux-hardened. They’re much more
capable to review it than I would. Very happy to see they merged your
pull request (Harden module auto-loading by madaidan · Pull Request #19 · anthraxx/linux-hardened · GitHub)!
Congratulations!
Did they? Looks like they just closed it.
madaidan via Whonix Forum:
Did they? Looks like they just closed it.
Not sure. But guess so. Commits are referenced there. He force pushed.
Did not use merge button.
In their repo. But dunno which branch.
That doesn’t mean it was merged. Look at this unmerged commit in the security-misc repo for example.
I can’t see my commits in any of linux-hardened’s branches.
Maybe ask? A comment if refused would be good? Perhaps a mistake.
Better to check proc ipv6 setting?
You mean settings in /proc/sys/net/ipv6/? That directory doesn’t exist with the hardened kernel.
It might be better to use the number of cores + 1 with the -j
option when compiling the kernel instead of just the number of cores although there seems to be some disagreement on this.
time - How to speed up Linux kernel compilation? - Stack Overflow
The best results are often achieved using the number of CPU cores in the machine + 1; for example, with a 2-core processor run make -j3
https://wiki.gentoo.org/wiki/Kernel/Configuration#Build
Add the option
-j(<NUMBER_OF_CORES> + 1)
. For example, a dual core processor contains two logical cores plus one (2 + 1):
We can change make -j $(nproc)
to make -j $(($(nproc) + 1))
Then that’s a good test. Nonexistence is good for testing this.