Kernel versions and security / Debian backports

HulaHoop · August 30, 2018, 11:17pm

Its possible to compile a standalone module against the header for use even after the fact AFAIK.

Nope. Those are the ones from backports that are fetched automatically with this kernel is seems.

According to lockdown’s README yes you can. It’s not a strong guarantee as not having the code in the first place as someone with root can disable it, but it’s better than nothing.

However it only takes effect after a reboot which would be detectable by a user. So if one restores after a session the window of compromise is non-existent.

gitlab.com

taggart/lockdown/blob/master/README

lockdown
========
WARNING: read notes below about potential system breakage!

This package is intended to be installed on systems in order to limit
the exposed surface an attacker might be able to use to compromise and
embed themselves in a system. This way a security hole in an unused
feature can't be used for an attacker to gain a foothold.
It doesn't aim for perfection, but instead to raise the bar by making
things more difficult for attackers.

What it does:
* disables loading/removing kernel modules after boot
* disables live kernel patching (kexec)
* disables Berkeley packet filter (BPF)

Configure by editing /etc/default/lockdown to enable/disable features
and adjust settings.

kernel modules

This file has been truncated. show original

Configure by editing /etc/default/lockdown to enable/disable features
and adjust settings.

HulaHoop · August 30, 2018, 11:53pm

Everything works as expected with full stable-backports. No errors burped out about VBox Guest Additions (the latest in backports which is automatically fetched).

HulaHoop · August 31, 2018, 12:05pm

Do you think it’s a maintainable solution to also grab lockdown from testing and upload it in Whonix repos?

I tested installing it and it needs no deps not present in stable.

The default setting locks in any detected loaded modules within 10 seconds of booting which should cover any built-in hardware.

HulaHoop · April 27, 2018, 6:27pm

Debian has a cloud kernel initiative where they now have linux images optimized for performance on hypervisors and also contain the bare minimum modules needed to boot on major hypervisor platforms which is good for security. Though with the upcoming lockdown feature the extra modules can still be made off limits for attackers if not used.

This kernel version is available in buster and stretch backports which means we probably can’t use it for our purposes but good to consider for later.

Patrick · April 28, 2018, 6:40am

We could use testers here.

VirtualBox:

VirtualBox is are quite possibly ntot well tested with this kernel
since it is as far as I know not much used in the cloud.
VirtualBox guest utilities might break or some other breakage.

Qubes:

This is unrelated to Qubes-Whonix since in Qubes-Whonix the kernel
selection is not up to Whonix, but up to Qubes. (Same as Qubes Debian
templates.)

Patrick · August 16, 2019, 2:46pm

linux-image-cloud-amd64 does not boot in VirtualBox. Also not when removing hardening boot parameters by security-misc package. Also not in recovery mode. Just a black screen.

HulaHoop · August 17, 2019, 6:54pm

Not sure if I’ve already reported this before but when I tried it, it was very minimalistic lacking even modules for shared folders to work. I think they are designed to work with KVM configurations so its almost certain VBox and Xen won’t be able to run it.

Patrick · November 28, 2019, 5:19pm

Let’s consider Debian -- Details of package linux-image-amd64 in buster-backports.

One worry is that VirtualBox guest additions might break and be unfixeable for a while. While at the same time, downgrade to a kernel compatible with VirtualBox guest additions isn’t possible through in-place upgrades (apt dist-upgrade) for existing users.

HulaHoop · November 28, 2019, 5:34pm

I assume the whole point of backporting though is to guarantee this type of bad breakage doesn’t happen? Including stuff from backports gets us some form of upstream support if it doesn’t work

Patrick · November 28, 2019, 5:39pm

Not sure. If I had to bet, I’d bet that breaking VirtualBox guest additions is a test case and blocker for kernel upgrades.

But even if the answer was “yes”, VirtualBox itself is currently not in backports, which is a mess. Therefore no such stability “guarantee”.
Only sid.
Debian -- Details of package virtualbox-guest-x11 in sid

HulaHoop · November 28, 2019, 5:44pm

Can we add backports kernel only for non-VBox build flags?

Patrick · November 28, 2019, 5:46pm

Build flag is doable in theory. But messy due to below…
Repository upgrades: not easy. Not possible without having separate apt repositories or some kind of packaging hack (Conflicts:?) which doesn’t install the backport kernel in VirtualBox.

HulaHoop · November 28, 2019, 5:50pm

Also another thing I just thought of: enhanced security configs in security-misc may use features not available in the older stable kernel?

Is there a way we can test how things go with VBox before deploying this change?
What do users lose without functional guest additions installed? Maybe we can warn about installing them if everything else still works.

Patrick · November 28, 2019, 5:56pm

Not sure. Probably just ignored.

Yes. Try out.
That’s why all changes go through developers → testers → stable-proposed-updates → stable repository.

The problem here is, we cannot predict the future. If backport kernels will break VirtualBox guest additions.

Major things coming to mind:

Fixed screen resolution (too big, too small, scrolling, not using full window space, black border).
No shared folders.
No copy/paste from inside/outside VM.
Trapping of keyboard/mice inside VM until VirtualBox host key is pressed.
Performance?

more details here perhaps:
https://www.virtualbox.org/manual/ch04.html

HulaHoop · November 28, 2019, 5:58pm

The lesser evil. A packaging hack is the path of least resistance IMO.

HulaHoop · November 28, 2019, 6:02pm

Or if we are enabling backports, then simply omit setting this apt config in VBox builds to begin with while designating the stable kernel during the build process?

Patrick · November 29, 2019, 12:33am

Enabling backports is inappropriate for a distribution.
Enabling backports alone does nothing. Still required APT pinning, which again is inappropriate for a distribution.
References:

If not using virtualizer specific kernel versions: Would have to download the package from Debian backports and upload to Whonix stable.
If using virtualizer specific kernel versions: Would require some packaging hack. Perhaps require to recompile the kernel.
- If recompile on developer machine - perhaps for all architectures.
  - (related: issues to compiling for all architectures as per this very post Whonix for arm64 / Raspberry Pi ( RPi ) - duplicate forum topic - #143)
- Or recompile on user’s machine, which is also unsolved. See this very post kernel recompilation for better hardening - #77 by Patrick starting from However, there is one blocker.

I don’t like the idea of virtualizer specific kernel versions. That’s adding a lot complexity. Hard to develop / test since involving different tests on different virtualizers.

It would also only be effective for a platform that I don’t maintain, KVM.
(Qubes is not yet Qubes VM kernel by default.)

Patrick · February 18, 2020, 5:06pm

Debian bug linux-image-amd64 vs linux-headers-amd64 Debian buster-backports version mismatch bpo.2 vs bpo.3 shows that just enabling backports repository might lead to issues. In this example, breaking all kernel modules due to kernel image vs kernel headers version mismatch from backports packages.debian.org.

HulaHoop · February 18, 2020, 8:44pm

OK. That’s a good citation for the wiki on why we don’t enable backports.

Patrick · February 19, 2020, 5:42am

added here:
Dev/APT Pinning - Kicksecure