Since lockdown is not in our kernel version, I can create a patchset to implement some of its features in our kernel if you want.
For quality control reasons and due to my very limited C programming
language skills (let alone kernel development) I need an independent
review of these patches. One option would be to get them merged in
another project with that capacity first for them to sign-off on so we
can go forward on this. Not sure if any is suited such as ClipOS or similar.
They’re all very similar. They’re mostly just simple if statements and exits. You can see they do the same even with limited C skills.
The perf lockdown patch is slightly different as my patch locks down perf entirely instead of just PERF_SAMPLE_REGS_INTR as more bad things can be done with perf such as kernel address leaking with PERF_SAMPLE_IPBreaking KASLR with perf
I’m not aware of any other project these patches would make sense in due to the reasons above.
This isn’t for inclusion in linux-hardened as they’ll prefer the official lockdown LSM and these patches only complement our config (things such as LOCKDOWN_KPROBES would be needed for linux-hardened but not us).
ClipOS uses the official lockdown LSM so these patches don’t make sense for them.
I can’t even do that. For all of Whonix’s source code, for any reviewers
reporting any security issues or asking any reasonable questions, I can
can handle that. For kernel code, I could not even fix minor things.
For simplicity, I think Whonix redistributed (downloadable) versions
could come with Debian standard stable kernel by default. This would
also serve as “debug” kernel. I.e. those VMs that can’t boot with the
hardened kernel can at least boot with the Debian kernel. During the
first boot, the hardened kernel could be compiled and installed
automatically before any networking goes up and before the user can do
anything except cancel compilation of the kernel.
Not much of an enhancement to do same as above but ship with a hardened
kernel which layout is public knowledge (redistributed, downloadable,
public build) anyhow. Related to
madaidan via Whonix Forum:
Should we also disable coredumps and enable them in the debug kernel?
I guess yes. Debugging in hardened-kernel (non-debug) isn’t possible now
anymore?
[1] For simplicity, I think Whonix redistributed (downloadable) versions
could come with Debian standard stable kernel by default. This would
also serve as “debug” kernel. I.e. those VMs that can’t boot with the
hardened kernel can at least boot with the Debian kernel. During the
first boot, the hardened kernel could be compiled and installed
automatically before any networking goes up and before the user can do
anything except cancel compilation of the kernel.
This also simplifies reproducible builds since it doesn’t introduce new
non-determinism. Our hardened kernel uses all available randomization
security options. Disabling these for redistributed (downloadable)
versions would add even more complexity. [1] is enough.
Maybe around 5000 kernel parameters. When calculating with 3 minutes to review if 1 kernel parameter makes sense (5000 kernel parameters * 3 minutes / 60 minutes / 24 hours) it needs more than 10 days nonstop to review all.
How to make this process more efficient? We’re probably not the first ones having this problem?
Can we somehow if we hover over our config parameters such as CONFIG_PREEMPT by mice being shown the relevant help text [1]?
Could you write a script to copy the help text from somewhere (kernel source) on top of the kernel parameter so no manual search of all parameters is required? If that makes sense?
Or can kconfig (or any fork / frontend) help to walk through parameters, current settings and help texts?
found in Linux kernels: 2.5.45–2.5.75, 2.6.0–2.6.12
Help text
This option reduces the latency of the kernel when reacting to real-time or interactive events by allowing a low priority process to be preempted even if it is in kernel mode executing a system call. This allows applications to run more reliably even when the system is under load. On contrary it may also break your drivers and add priority inheritance problems to your system. Don’t select it if you rely on a stable system or have slightly obscure hardware. It’s also not very well tested on x86-64 currently. You have been warned.
Say Y here if you are feeling brave and building a kernel for a desktop, embedded or real-time system. Say N if you are unsure.
Maybe make xconfig can do that? Any way to point make xconfig to our kernel config or does this need to be run from extracted kerne source folder only? Something better than make xconfig?
Also any other differences where the delta can be reduced? Ideally, the delta should be as minimal as possible to make this more easy to review.
Also during automated testing (CI) is there some command make defconfig, make oldconfig or similar (I don’t understand all of these yet) that could be run?
[1] Maybe we can give up on the top comment. Reset that to whatever the default is.
Then during testing run “make configsomething” (whatever appropriate) and check that our .config stays the same prior and after running “make configsomething” ?
I guess make oldconfig makes most sense and shouldn’t prompt for anything. Presupposing [1] it shouldn’t result in any changes to the .config.