See:
2 Likes
As per Consider Pulling in LKRG · Issue #408 · GrapheneOS/os-issue-tracker · GitHub, I believe we should get rid of the --lkrg option and enable CONFIG_KPROBES by default, while also disabling the config options mentioned in the issue to get rid of the attack surface exposed to user space.
Tirdad also requires kprobes:
1 Like
Will also update documentation to reflect this.
1 Like
Hi,
Installed the Whonix hardened kernel on another distro and now some systemd services will not start. Don’t seem to be able to restart these services and when sudo systemctl start [service] is run, there is an error message which is described as exit-code. Also commands to the dbus seem to fail as well, returning
Failed to connect to bus: Connection Refused
Bunch of upcoming changes to spectre protection defaults and build time compiler options added to newer releases of LLVM and GCC. Sending pulls to other Linux projects may be helpful:
Difficult to understand what these changes do. A comment from the discussion thread frames it this way:
The question is, which programs in the past have opted in with PRCTL? Which in the future will be SECCOMP threads which will have it applied?
1 Like
An AMD feature available in KVM for enhanced protection in Zen3 CPUs:
1 Like
ClipOS is deprecated unfortunately;
"The paper points to AMD CPUs suffering from a side-channel leakage vulnerability through timing and power variations of the PREFETCH instruction. The paper argues that AMD CPUs should activate stronger page table isolation by default. "
“With the Linux kernel already supporting Kernel Page Table Isolation albeit not enabled by default on AMD CPUs, it’s easy to test the behavior otherwise. KPTI can already be forced on for AMD CPUs under Linux if booting with the “pti=on” kernel option (not to be confused with the “kpti=1” option that is for controlling page table isolation for AArch64 systems, unfortunately through a different knob).”
" For instance with GCC 11 is the zero-call-used-regs compiler feature and now with Linux 5.15 that feature can be optionally used to enhance the kernel security.
Slipping under our radar earlier this month was that GCC 12 has landed stack variable auto-initialization. This new GCC 12 security feature can be turned on with the “-ftrivial-auto-var-init=zero” compiler switch. LLVM/Clang saw this security option posted back in 2018."
I don;t know why they thought it was a good idea to include an in-kernel SMB3 file server that turned up vulnerabilities, but I’m sure we are all better off without it. This is a Linux 5.15 “feature” that we can turn off.
1 Like
I think IMA integration is necessary
Integrity Measurement Architecture
This allows greater security although it is somewhat complex to be manually
inserting keys - openssl ,
I have worked on a script it is simple but it signs everything in
an automated way ( Extended Verification Module )
img > https://i.imgur.com/zB3wFDn.png /
img > https://i.imgur.com/aR7qgqS.png /
I could share the script but how do I send it , thanks
Linux kernel configuration for IMA
this security is built into the kernel,
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE=“ima-ng”
CONFIG_IMA_DEFAULT_HASH_SHA512=y
CONFIG_IMA_DEFAULT_HASH=“sha512”
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_ARCH_POLICY=y
CONFIG_IMA_APPRAISE_BUILD_POLICY=y
CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_IMA_APPRAISE_MODSIG=y
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
CONFIG_IMA_BLACKLIST_KEYRING=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
CONFIG_IMA_DISABLE_HTABLE=y
Extended Verification Module
CONFIG_EVM=y
CONFIG_EVM_ATTR_FSUUID=y
CONFIG_EVM_EXTRA_SMACK_XATTRS=y
CONFIG_EVM_ADD_XATTRS=y
CONFIG_EVM_LOAD_X509=y
CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
-# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set !
Disable this line This causes the system to freeze
Boot parameter
ima_policy=appraise_tcb ima_appraise=fix ima_policy=tcb ima_policy=secure_boot
ima_hash=sha512 appraise_flag=blacklist_ evm=fix
Linux IMA Extended Verification Module signing tools
Digital signature verification extension and audit measurement log support.
Package available in debian repository: ima-evm-utils
Which files/folders would be covered by that?
A hardened kernel is generally highly unlikely to happen anytime soon. There’s no actively maintained, Free and Open Source hardened kernel project which provides a Linux kernel compatible with Debian (stable) (and VMs).
There are too many configuration options. See this example.
And the Kicksecure or Whonix project doesn’t have resources to pay a kernel developer (most likely full time) to keep maintaining all of this (which includes figuring out which configuration option breaks what).
Kicksecure is certainly providing all the surrounding infrastructure (wiki, forums, APT repository) but cannot maintain the “core” for the hardened kernel.
related:
Unfortunately, Linux doesn’t prioritize security and some sort of minimalism. It’s still the only realistic choice to work with however far form perfect.
A dangerous feature that’s useless unless your run a HCP cluster allows data to be directly sent to the Linux memory system from a system port. Ideally this shouldn’t see the light of day in a user kernel.
2 Likes
I am not sure which one requires what but if known:
- A) If kernel recompilation is required, please use this forum thread.
- B) If kernel recompilation is not required, please use Kernel Hardening - security-misc.
Sure thing.
In fact Linux nowadays is ~99% commercial. It stopped being a hobby open source project in the late 90s. Desktop experience is some sort of compliment from the kernel hackers as it don’t pay the bills.