kernel recompilation for better hardening

Patrick · February 18, 2020, 2:29pm

madaidan via Whonix Forum:

Will my lockdown patches ever be merged?

I can’t review them. And I haven’t found any other reviewer yet either.

If no upstream wants to take them (in that kernel version), then I can’t
review these patches either.

They’re almost identical to the upstream patches (excluding a different variable name and lockdown-kconfig.patch). The official lockdown patches won’t be coming to LTS anytime soon and there’s no other project I know of I can submit these to.

Similar or even 100% same as upstream patches. As said before backport
something, also the context on where these patches are plugged in have
to be understood which I don’t understand either.

They’re really important. Without them, root can easily escalate to
kernel mode, making “untrusted root” useless.

I’d rather re-consider a different kernel version in this case.

These kernel patches are imo also rushed ahead a lot. Solving
⚓ T960 hardened kernel Debian packaging and APT integration - hkapt isn’t trivial at all.

madaidan · February 20, 2020, 6:23pm

Should we compile more RNGs as built-in?

There are the following HWRNG options:

CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
CONFIG_HW_RANDOM_VIA=m
CONFIG_HW_RANDOM_VIRTIO=m

I think we should make CONFIG_HW_RANDOM_VIRTIO built-in for the VM kernel and the rest built-in for the host kernel.

There’s also another RNG module we might want to use, CONFIG_CRYPTO_ANSI_CPRNG, but I don’t know about that.

HulaHoop · February 20, 2020, 8:54pm

No, because we chose to completely distrust hwrngs. I think we are better off stripping them out of the kernel.

madaidan · February 20, 2020, 9:20pm

We don’t. We only distrust them for initial entropy. Stripping them out entirely isn’t really a good idea.

Virtio RNG isn’t a real HWRNG anyway Features/Virtio RNG - Fedora Project Wiki

madaidan · February 20, 2020, 10:26pm

CLIP OS recently disabled CONFIG_STAGING.

kernel_config: Blacklist staging drivers · clipos/src_platform_config-linux-hardware@ec648fd · GitHub

From the docs:

Staging drivers are typically of lower quality and under heavy development. They are thus more likely to contain bugs, including security vulnerabilities, and should be avoided.

linux/drivers/staging/Kconfig at master · torvalds/linux · GitHub

This option allows you to select a number of drivers that are not of the “normal” Linux kernel quality level. These drivers are placed here in order to get a wider audience to make use of them. Please note that these drivers are under heavy development, may or may not work, and may contain userspace interfaces that most likely will be changed in the near future.

madaidan · February 21, 2020, 12:06am

https://review.clip-os.org/c/clipos/src_platform_config-linux-hardware/+/5191

madaidan · February 21, 2020, 12:09am

Kernel 5.5 will have an option to disable the iopl() and ioperm() syscalls.

github.com

torvalds/linux/blob/master/arch/x86/Kconfig#L1231-L1247


      
          	help
          	  This option is required by programs like Wine to run 16-bit
          	  protected mode legacy code on x86 processors.  Disabling
          	  this option saves about 300 bytes on i386, or around 6K text
          	  plus 16K runtime memory on x86-64,
          
          
config X86_ESPFIX32
          	def_bool y
          	depends on X86_16BIT && X86_32
          
          
config X86_ESPFIX64
          	def_bool y
          	depends on X86_16BIT && X86_64
          
          
config X86_VSYSCALL_EMULATION
          	bool "Enable vsyscall emulation" if EXPERT
          	default y

anontor · February 21, 2020, 3:25am

Looks like a good candidate to disable. sys_rawio is one of those capabilities that I do not even like when it has to be there. As an example, when building app profiles with Apparmor, I always see if it can run with that one denied. I know it’s just one out of very many caps that could be potentially dangerous, but every bit helps.

Patrick_mobile · February 21, 2020, 7:24am

It’s safe to use any source of entropy but not trust it / not credit it.

Entropy, Randomness, /dev/random vs /dev/urandom, Entropy Sources, Entropy Gathering Daemons, RDRAND

Patrick · February 21, 2020, 11:01am

madaidan:

Should we compile more RNGs as built-in?

There are the following HWRNG options:
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
CONFIG_HW_RANDOM_VIA=m
CONFIG_HW_RANDOM_VIRTIO=m
I think we should make CONFIG_HW_RANDOM_VIRTIO built-in for the VM kernel and the rest built-in for the host kernel.

Good idea.

(Not suggested but just in case anyone would think that: Please don’t set any of these options to n (no). A better fallback is m just in case.)

Patrick · February 21, 2020, 11:03am

asked: Questions on seeeding, value of similar utilities · Issue #16 · smuellerDD/jitterentropy-library · GitHub

Patrick · February 21, 2020, 11:06am

This is super helpful since other eyes review these things! Thanks a lot for such upstreaming efforts!

(To nitpick: not exactly upstreaming just yet but similar helpful in long run.)

madaidan · February 21, 2020, 6:21pm

madaidan · February 21, 2020, 6:31pm

CONFIG_DRM_VBOXVIDEO is a staging driver. Is this actually used in vbox guests?

madaidan · February 21, 2020, 6:47pm

github.com/Kicksecure/hardened-kernel

Disable staging drivers

Kicksecure:master ← madaidan:staging

opened 06:46PM - 21 Feb 20 UTC

madaidan

+2 -224

Staging drivers are lower quality and are more likely to contain security vulner…abilities. CONFIG_DRM_VBOXVIDEO is a staging driver so we can't completely disable CONFIG_STAGING in the VM kernel as it's likely used in vbox guests. Instead, this disables all staging drivers except CONFIG_DRM_VBOXVIDEO (which is only 1 as most hardware options are disabled). In newer kernel versions, CONFIG_DRM_VBOXVIDEO is not a staging driver so we can disable CONFIG_STAGING entirely once our kernel catches up.

Patrick · February 25, 2020, 6:39am

3 posts were split to a new topic: VirtualBox Guest Additions

Patrick · February 22, 2020, 6:28am

madaidan via Whonix Forum:

Compile HWRNGs as built-in by madaidan · Pull Request #44 · Kicksecure/hardened-kernel · GitHub

Merged.

Patrick · February 22, 2020, 6:35am

madaidan via Whonix Forum:

Disable staging drivers by madaidan · Pull Request #45 · Kicksecure/hardened-kernel · GitHub

A bit time consuming to review. Requires upgrade to newer kernel,
testing

.

And then do these changes break

?

Patrick · February 22, 2020, 7:14am

Actually needs to be reverted. We would have to be sure if these sources of entropy would be trusted / credited.

I don’t see much advantage over built-in vs module anyhow? For something important as this, better just keep it as default as module?

Patrick · February 22, 2020, 7:17am

Are these modules auto load? And when auto load, is this entropy source credited / trusted?