kernel recompilation for better hardening

madaidan · December 25, 2019, 5:53pm

Allow further restriction of perf events

anthraxx:master ← madaidan:perf_event_paranoid

opened 05:51PM - 25 Dec 19 UTC

Perf events expose tons of attack surface and have been the cause of many vulner…abilities. linux-hardened restricts these to root by default but this still allows the root user to attack the kernel. This disallows all access to perf events by all users, including root, when the kernel.perf_event_open sysctl is set to 4 to reduce attack surface. This keeps the default value as 3 as to not cause too much breakage but users can optionally increase the value.

Patrick · December 26, 2019, 7:33am

madaidan via Whonix Forum:

Patrick_mobile:

Probably stable more secure as not all security bugs are properly backported.

Sure but stable kernels have newer code and more attack surface.

grsecurity - The Truth about Linux 4.6

The real “hard truth” about Linux kernel security is that there’s no such thing as a free lunch. Keeping up to date on the latest upstream kernel will generally net all the bug fixes that have been created thus far, but with it of course brings completely new features, new code, new bugs, and new attack surface. The majority of vulnerabilities in the Linux kernel are ones that have been released just recently, something any honest person active in kernel development can attest to.

Although, stable kernels do have more hardening features.

It’s a hard decision.

LTS kernels have less hardening features and not all bug fixes are backported but it has less attack surface and potentially less chance of having bugs.

Stable kernels have more hardening features and all bug fixes but more attack surface and more bugs.

Let’s use LTS kernels instead. For more stability. Something good that
works is better than something “perfect” constantly breaking.

lkrg-users - LIST HASH IS DIFFERENT - nf_nat / nf_conntrack Linux version 5.3.0-0 reminds me,
keeping up with kernel issues shouldn’t develop into most time spend on.

Patrick · December 26, 2019, 10:46am

madaidan via Whonix Forum:

It might be better to use the number of cores + 1 with the -j option when compiling the kernel instead of just the number of cores although there seems to be some disagreement on this.

time - How to speed up Linux kernel compilation? - Stack Overflow

The best results are often achieved using the number of CPU cores in the machine + 1; for example, with a 2-core processor run make -j3

Kernel/Configuration - Gentoo wiki

Add the option -j(<NUMBER_OF_CORES> + 1) . For example, a dual core processor contains two logical cores plus one (2 + 1):

We can change make -j $(nproc) to make -j $(($(nproc) + 1))

Please test and send pull request.

madaidan · December 26, 2019, 3:20pm

It doesn’t verify the kernel sources or linux-hardened patch with gpg as I would usually do if ! gpg --verify ... but you might prefer to use something else like GitHub - Kicksecure/gpg-bash-lib: gpg file verification bash library, addresses comprehensive threat model, that covers file name tampering, indefinite freeze, rollback, endless data attacks, etc.

madaidan · December 26, 2019, 3:24pm

I tested it and the tinyconfig takes a few minutes to build for me.

HulaHoop · December 26, 2019, 3:46pm

HulaHoop · December 26, 2019, 3:58pm

Many fixes for arch specific stuff, EFI, lockdown, kernel signing, bug fixes they run across (as a huge distro used everywhere they are tested all over the place), ABI maintenance and so on.

Patrick · December 27, 2019, 7:08am

Using curl / networking during apt updates is bad.

Either fail open and miss kernel upgrades or fail closed and break apt.
Networking dependent: if networking is down, slow, etc. the update will fail. Package will exit non-zero break updating or update will be ignored.
- (I plan to merge tb-starter, tb-updater, tb-default-browser and open-link-confirmation packages, add Tor Browser archive (and signature) to binaries-freedom package to make the only required networking APT and nothing else. I.e. once packages are fetched, there are no more networking dependencies. This simplifies the build environment, tunneling all connections through Tor/onions during build and whatnot.)
gpg verification is a major hassle and security risk.
- GitHub - Kicksecure/gpg-bash-lib: gpg file verification bash library, addresses comprehensive threat model, that covers file name tampering, indefinite freeze, rollback, endless data attacks, etc. helps but ideally better avoided.

Why do we need to use linux-hardened as patch? Their git repository looks like as if they imported whole Linux source code from kernel.org and then modified it. Looking at Release 5.4.6.a · anthraxx/linux-hardened · GitHub they offer patch and source code. Maybe we could git clone linux-hardened, then git checkout the tag and build the tag instead? Thereby we could safe one step: downloading from kernel.org. (Both would have to be gpg verified. Double work.

If my above idea is working (getting complete kernel source from linux-hardened) then maybe it would be better to git(hub) fork GitHub - anthraxx/linux-hardened: Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening and add our compile script and config there? That would also be a good chance to merge our modifications upstream to get more eyes on it and to reduce/nullify the delta between our fork and upstream.

Patrick · December 27, 2019, 7:17am

github.com/anthraxx/linux-hardened

Hardened Kernel Config File for Virtual Machines (VMs) ("cloud kernel")

opened 07:17AM - 27 Dec 19 UTC

closed 03:27PM - 28 Mar 20 UTC

adrelanos

A kernel config specialized for better security inside virtual machines is in de…velopment. The development preview version can be found here: https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-vm-kernel/kernel-config This work is being done by @madaidan who also contributed pull requests here. https://github.com/anthraxx/linux-hardened/pulls?utf8=%E2%9C%93&q=author%3Amadaidan Discussions about the kernel config happen mostly in Whonix forums. https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/214 The hardened kernel config was contributed by @madaidan to the @Whonix project but as the maintainer of Whonix I think that it is not the most suitable project to maintain a kernel config. It would be more impactful and would get more eyes on it if it was hosted here. Therefore I am wondering if there is any chance you would accept a pull request for a hardened VM config file? Which folder would be suitable for such a config file? @madaidan might also be working on a hardened bare metal (i.e. non-VM) kernel config later on but one step a at a time.

madaidan · December 27, 2019, 2:30pm

It just seems like the best way to use it.

The Arch build script (maintained by anthraxx, the current maintainer of upstream linux-hardened) uses it as a patch.

madaidan · December 27, 2019, 10:05pm

github.com/anthraxx/linux-hardened

Restrict access to sysfs

anthraxx:master ← madaidan:sysfs_restrict

opened 10:02PM - 27 Dec 19 UTC

madaidan

+75 -2

This creates the sysfs_restrict sysctl which restricts access to sysfs. When ena…bled, sysfs and any filesystem mounted under it (e.g. debugfs) will be accessible only by root. The default value is set by CONFIG_SECURITY_SYSFS_RESTRICT which is disabled as it breaks too many things to be enabled by default. This is based on GRKERNSEC_SYSFS_RESTRICT.

We won’t need to use this though as we have https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/hide-hardware-info which is far more flexible as it allows us to whitelist stuff.

Patrick · December 28, 2019, 7:05am

Right.

Let’s use LTS anyhow. Reason: I don’t think we’re ready for non-LTS kernels. We don’t have automated testing, let alone on all platforms. Even Tor and Tor Browser upgrades for future versions aren’t sufficiently tested preemptively before these hit stable. When using non-LTS and an upgrade is out, there will be time pressure to upgrade. But what if that breaks either Qubes, VirtualBox and/or KVM or spice, guest additions, lkrg and/or tirdad? There is nothing we can do to patch it quickly and can go back to LTS versions and a version downgrade is hard to do using apt for a Debian derivative.

Alright.

linux-hardend:
We could add linux-hardened-5.4.6.a.patch and linux-hardened-5.4.6.a.patch.sig to hardened-kernel git. gpg verification can be manual. I.e. by developers only when we add to git. No need to automate with a script. (Similar to electrum in binaries-freedom package.)

Linux upstream:
Since linux-hardened shall be applied to to original kernel.org Linux, maybe it would be best to fork GitHub - torvalds/linux: Linux kernel source tree, git checkout and LTS branch/release tag, create a new branch, add linux-hardend patch, add compile script and that’s it? That should make viewing the diff in git very easy. Our branch would just be linux-hardend patch + compile script with Linux LTS unmodified. No “direct” modification of Linux LTS. Patching would happen on the user’s machine during kernel build.

What do you think?

Patrick · December 28, 2019, 10:28am

Yay! We now have a functional Debian buster based CI build. The kernel compilation process is still in progress. Dunno if it will complete but I guess so.

main page:
https://travis-ci.com/Whonix/hardened-kernel

specific build:
https://travis-ci.com/Whonix/hardened-kernel/builds/142518832

raw build log:
https://api.travis-ci.com/v3/job/270808453/log.txt

CI vs non-CI builds: CI builds as root, not user. That could be improved if deemed useful.

Ideally we would could also automate on the CI booting the kernel in VirtualBox, KVM, Qubes and see where it is functional and where it is broken but that might be a pipe dream. Although Continuous integration - CRIU is using kexec but that seems hard to re-use and that would reboot test only KVM (which would still be awesome for start) (because Travis CI is based on KVM as virt-what says). Travis CI also supports artifacts (and any scripting). Build results could be send elsewhere (another cloud service) for further automated testing, i.e. (kexec) kernel boot.

Note: CI builds is only a tool for developers. Kernels build in CI will not be used for anything except for developers to look at build logs. No users will ever be presented to build anything build on a CI. Just any easy way to share build logs in an objective, local system configuration quirk reduced way. Quote http://travis.debian.net/

Q: But wget | sh - is insecure!

A: Of course, and you should never run such a command on your own machine. However, not only does Travis-CI build within throwaway containers that you are not responsible for, cannot trust, and generally don’t care about, there is zero expectation that the resulting .deb files are to be used or installed anywhere.

madaidan · December 28, 2019, 2:06pm

Why not just add the LTS kernel tarball to hardened-kernel instead of forking the source?

Patrick · December 28, 2019, 2:18pm

That’s also an option.

pros:

Preserve git history, authorship. (Although we might consider git clone --depth 1 to save space for those who git clone Whonix.)

Cons:

The tarballs are binary files. Git cannot disk space efficiently manage these. Each gets added as a full copy to git. That will balloon the size of that git repository after a few releases. We will figure out how to deal with this later. We could instruct users to to do git clone --depth 1 cloing. Have to do this at some point for binaries-freedom package anyhow.
Extracting the tarball will take longer than already working with extracted files.

Probably better option. Please add if you agree.

madaidan · December 28, 2019, 2:29pm

We can delete old versions and use --depth=1.

Downloading the source code will also take longer than downloading a tarball so it would probably even out.

I think we should use the tarball. Seems simpler.

Patrick · December 28, 2019, 2:38pm

Yes. Always delete the old tarballs when adding a new tarball. Except if we ever wanted / had to support multiple version such as stable and testing.

Yes.

Patrick · December 28, 2019, 8:36pm

github.com/a13xp0p0v/kconfig-hardened-check

Hardened Kernel Config File for Virtual Machines (VMs) ("cloud kernel")

opened 08:35PM - 28 Dec 19 UTC

closed 03:20PM - 10 Jan 20 UTC

adrelanos

A kernel config specialized for better security inside virtual machines is in de…velopment. The development preview version can be found here: https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-kernel/hardened-vm-kernel This work is being done by @madaidan who also contributed pull requests to [linux-hardened](https://github.com/anthraxx/linux-hardened). https://github.com/anthraxx/linux-hardened/pulls?utf8=%E2%9C%93&q=author%3Amadaidan Discussions about the kernel config happen mostly in Whonix forums. https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/214 The hardened kernel config was contributed by @madaidan to the @Whonix project but as the maintainer of Whonix I think that it is not the most suitable project to maintain a kernel config. It would be more impactful and would get more eyes on it if it was hosted here. Therefore I am wondering if there is any chance you would accept a pull request for a hardened (VM) config file? Which folder would be suitable for such a config file? @madaidan is also working on a hardened bare metal (i.e. non-VM) kernel config: https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-kernel/hardened-host-kernel

Patrick · December 28, 2019, 8:55pm

Tons of kernel config files here:
https://github.com/a13xp0p0v/kconfig-hardened-check/tree/master/config_files

even kspp-recommendations

madaidan · December 28, 2019, 9:55pm

This work is being done by @madaidan who also contributed pull requests here.

This doesn’t really make sense as I’ve never contributed to that repo. It should be “pull requests to linux-hardened”.