kernel recompilation for better hardening

madaidan · April 13, 2020, 4:15pm

Disable legacy drivers

Kicksecure:master ← madaidan:legacy

opened 04:15PM - 13 Apr 20 UTC

These are legacy drivers with many security holes and should not be enabled. …https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38 > CONFIG_DRM_LEGACY: Really old drivers from the 90s, with unfixable by design security holes. Unfortunately userspace for one modern driver (drm/nouveau) has used until just a few years ago by accident (we didn't delete all the old legacy driver setup code), so can't remove it all completely yet from kernel sources. https://github.com/torvalds/linux/blob/master/drivers/gpu/drm/Kconfig > Enable legacy DRI1 drivers. Those drivers expose unsafe and dangerous APIs to user-space, which can be used to circumvent access restrictions and other security measures. For backwards compatibility those drivers are still available, but their use is highly inadvisable and might harm your system. > > You are recommended to use the safe modeset-only drivers instead, and perform 3D emulation in user-space. > > Unless you have strong reasons to go rogue, say "N".

madaidan · April 24, 2020, 9:57pm

https://review.clip-os.org/c/clipos/src_platform_config-linux-hardware/+/35685/

This isn’t in our kernel version though so we don’t need to worry (benefits of LTS).

Patrick · May 1, 2020, 10:49am

Could you please work on hardened-kernel outreach? @madaidan

madaidan · May 6, 2020, 6:39pm

I think it’s too early for that and I don’t think many listed there would be interested in it. MirageOS doesn’t even use Linux. It’s a framework for building unikernels.

Unrelated to outreach but can be useful for improving build speed:

Patrick · May 7, 2020, 3:47am

The idea isn’t that distributions build and upload the kernel to their
distribution very soon. That may or may not be realistic indeed.

The idea is to get attention on the project. Have other competent people
review and contribute.

Because at the moment it’s stalled. This got much more complicated than
I anticipated and I really can’t review the kernel config.

madaidan · May 7, 2020, 9:53pm

I highly doubt any standard distro would be interested in this. The only reason Arch has a package is because anthraxx/Daniel Micay are Arch maintainers/Trusted Users. Tails and Qubes are the only ones I see that might be interested. Gentoo (Hardened) might be interested in linux-hardened but not hardened-kernel since they always create their own config.

Patrick · May 7, 2020, 9:57pm

Interested distributions would be jackpot but my hope is lower and hopefully more realistic: anyone capable of contributing. And I guess that chance is realistic. There used to be a lot enthusiasm and auxiliary protects for grsecurity (download, compile scripts such as coldkernel, packages and whatnot). I would be really surprised if zero people could get excited about this project now that there is no longer any grsecurity free or other somehow popular (people having heard about it) alternative.

madaidan · May 7, 2020, 10:07pm

grsecurity isn’t really the same. It was well known for providing a large set of security features. linux-hardened doesn’t come close.

madaidan · May 10, 2020, 4:26pm

Somewhat interesting (although mostly redundant code that does more harm than good):

https://www.openwall.com/lists/kernel-hardening/2020/05/10/3

GitHub - cloudsec/aksp: Another kernel self protection

anontor · May 10, 2020, 8:36pm

Messy C
Could have done:
char tmp[33];
char *ptrTmp=tmp;
This way, array can account for the 32 bytes and the required /0, and also render an over flow impossible because *ptrTmp could only ever hold 32 bytes since it holds the address of tmp (char *ptrTmp=&tmp[0])

Also like grsec said, the n is left undefined. Could have said:
size_t=strlen(whatever string)=n; or better yet, just leave it out completely. Interesting because I know (from errors I made) that an undefined variable will trigger a lot of complaining from gcc. I imagine any other compiler would do the same?

Anyway just a couple things I saw related to C “grammar.”
Full disclosure: student of C, definitely not an expert by any means, but I learn more every day.

madaidan · May 11, 2020, 6:02pm

madaidan · May 11, 2020, 11:20pm

HulaHoop · May 16, 2020, 11:49pm

I want to try pimping this project to other upstreams - with the goal of having them absorb your changes completely. @madaidan can you summarize in a few bullet points the main accomplishments so far that aren’t covered by ClipOS + anthraxx hardened-kernel?

Patrick · May 17, 2020, 9:21am

The none bullet point, non-summary, full description is here:

Perhaps (also) have a look there and see what the highlights are?

I try to provide a short overview here…

There are two main parts.

(And maybe a third small part but not important at this stage.)

A) There is linux-hardened [archive] (a patch for the Linux kernel that adds many hardening features). Very few people know about this project.

Outreach can be done without mentioning Whonix specifically. (Not good to think of Whonix specific anyway.)

Previous outreach:

Debian Linux package feature request: consider review and merge of linux-hardened patches (free, Libre alternative to grsecurity) [archive]
Debian Request For Packaging: RFP: linux-hardened – hardened Linux kernel [archive]

But otherwise there is almost zero (let alone recent) mention of linux-hardened.

Example search term:

site:ubuntu.com https://github.com/anthraxx/linux-hardened

Same hold true for other major distributions.

I don’t think that’s a for not trying to organize the linux-hardened project.
grsecurity may have been better than linux-hardened was in past. That might result in less interest (not possible to quantify xx %) interest in linux-hardened than grsecurity. But certainly the interest in linux-hardened will not be zero.

B) Hardened kernel config.

There are two kernel configs, hardened-vm-kernel [archive] and hardened-host-kernel [archive]. hardened-vm-kernel is designed specifically for virtual machines (VMs) and hardened-host-kernel is designed for hosts.

These were created by @madaidan.

C) Supporting scripts.

There’s a download script and a build script but it does not verify software signatures yet. Neither it should instead TODO: do not use networking as per

Other stuff ci_test / travis CI (but only building, no other automated tests). other tasks

Packaging not done yet.

Therefore not sure mentioning this part yet.

Not sure which parts are worth doing outreach / outreach strategy but anything is certainly better than no progress on outreach.

madaidan · May 17, 2020, 11:08pm

CLIP OS expects you to create your own config.

You mean anthraxx’s linux-hardened, not hardened-kernel and that’s not a kernel config. It’s a hardening patchset.

There isn’t really much I can say except what’s on hardened-kernel

HulaHoop · May 19, 2020, 2:57pm

https://discuss.clip-os.org/t/a-secure-kernel-for-debian/80

madaidan · May 20, 2020, 1:36am

gist.github.com

https://gist.github.com/madaidan/2031b844d760683af19e85bda184b623

Grsecurity overview.md

All logging, compatibility and access control (RBAC) features are excluded.


# Implemented in mainline:
 * `GRKERNSEC_IO` - `CONFIG_SECURITY_LOCKDOWN_LSM`
 * `GRKERNSEC_KMEM` - `CONFIG_SECURITY_LOCKDOWN_LSM`
 * `GRKERNSEC_BPF_HARDEN` - `kernel.bpf_jit_harden`
 * `GRKERNSEC_KSTACKOVERFLOW` - `CONFIG_VMAP_STACK`
 * `GRKERNSEC_HIDESYM` - `kernel.kptr_restrict`
 * `GRKERNSEC_RANDSTRUCT` - `CONFIG_GCC_PLUGIN_RANDSTRUCT`

This file has been truncated. show original

HulaHoop · May 20, 2020, 4:40pm

@Patrick Would a clip-os deb repo we pull from be be a satisfactory solution for us?

Patrick · May 20, 2020, 4:59pm

If they can provide a Debian package repository with a hardened kernel, tested to not totally break Debian and up to date that would probably get many people exited.

Might be unlikely because CLIP OS is based on hardened gentoo.

HulaHoop · May 20, 2020, 5:09pm

Good to know. Generating a deb is as easy as specifying this during build. I will see what they think.