[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

kernel recompilation for better hardening

Awesome. Will rename now as later package rename and migration is a nontrivial, error prone process for users who upgrade.

1 Like

Patrick_mobile via Whonix Forum:

Awesome. Will rename now as later package rename and migration is a nontrivial, error prone process for users who upgrade.

Initial packaging is done:

1 Like

madaidan via Whonix Forum:

Should CONFIG_PROC_PAGE_MONITOR be disabled?

https://github.com/torvalds/linux/blob/master/fs/proc/Kconfig#L83

Various /proc files exist to monitor process memory utilization:
/proc/pid/smaps, /proc/pid/clear_refs, /proc/pid/pagemap,
/proc/kpagecount, and /proc/kpageflags. Disabling these
interfaces will reduce the size of the kernel by approximately 4kb.

It was called “brain-dead” and a security risk by grsecurty.

It was also used in exploiting rowhammer to gain kernel privileges.

https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

Better disable read/write access with apparmor-profile-everything instead?

1 Like

It’s just going to add compile time then.

1 Like

I think it would be good to include hardened-vm-kernel and apparmor-profile-everything in QubesOS similar to security-misc https://github.com/QubesOS/qubes-issues/issues/1885

1 Like

Not a lot has happened to security-misc in Qubes outside of Qubes-Whonix. Maybe more realistic to develop Kicksecure and then create a Kicksecure Qubes template. That might meet lower resistance than hardening Qubes Debian template.

Feel free to open any Qubes tickets.

As for outreach hardened-vm-kernel seems useful to contact both linux-hardened and oss-security mailing list.

1 Like

perf exposes tons of debugging functionality that’s not really used much and should be disabled. It’s been the source of many infoleaks and vulnerabilities. Debian restricts this to root by default but that’s not enough for us.

The problem with disabling it though is that CONFIG_KVM and CONFIG_X86 both select CONFIG_PERF_EVENTS even though it isn’t strictly required. So, we’d need to patch the Kconfig and comment it out.

We can create a /usr/share/hardened-vm-kernel/patches/ directory and modify the build script to apply everything in there e.g.

cat /usr/share/hardened-vm-kernel/patches/* | patch -p1

More info on this:

https://lkml.org/lkml/2016/1/11/587

https://lkml.org/lkml/2016/6/17/696

https://old.lwn.net/Articles/696216/

https://patchwork.kernel.org/patch/9249919/

That doesn’t work. Disabling it causes tons of compile errors. Better to just patch the kernel and make perf error out.

madaidan via Whonix Forum:

We can create a /usr/share/hardened-vm-kernel/patches/ directory and modify the build script to apply everything in there e.g.

Much better to submit any patches to linux-hardened. They’re much more
capable to review it than I would. Very happy to see they merged your
pull request (https://github.com/anthraxx/linux-hardened/pull/19)!
Congratulations!

1 Like

Did they? Looks like they just closed it.

1 Like

madaidan via Whonix Forum:

Did they? Looks like they just closed it.

Not sure. But guess so. Commits are referenced there. He force pushed.
Did not use merge button.

1 Like

In their repo. But dunno which branch.

1 Like

That doesn’t mean it was merged. Look at this unmerged commit in the security-misc repo for example.

I can’t see my commits in any of linux-hardened’s branches.

1 Like

Maybe ask? A comment if refused would be good? Perhaps a mistake.

1 Like

Just asked https://github.com/anthraxx/linux-hardened/pull/19#issuecomment-568789370

1 Like
1 Like

Better to check proc ipv6 setting?

1 Like

You mean settings in /proc/sys/net/ipv6/? That directory doesn’t exist with the hardened kernel.

1 Like

It might be better to use the number of cores + 1 with the -j option when compiling the kernel instead of just the number of cores although there seems to be some disagreement on this.

https://stackoverflow.com/questions/23279178/how-to-speed-up-linux-kernel-compilation

The best results are often achieved using the number of CPU cores in the machine + 1; for example, with a 2-core processor run make -j3

https://wiki.gentoo.org/wiki/Kernel/Configuration#Build

Add the option -j(<NUMBER_OF_CORES> + 1) . For example, a dual core processor contains two logical cores plus one (2 + 1):

We can change make -j $(nproc) to make -j $(($(nproc) + 1))

1 Like

Then that’s a good test. Nonexistence is good for testing this.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]