Linux Kernel Runtime Guard (LKRG) - Linux Kernel Runtime Integrity Checking and Exploit Detection

Patrick · December 21, 2020, 9:30pm

Different command. p_lkrg. (I didn’t invent the p_. Upstream did.) But probably just a mistake. Not the reason.

So you had kernels 4.19.0 and 4.19.122 installed. The latter, the newer kernel version 4.19.122 was loaded. Kernel module was build for 4.19.122 only. Right?

I wonder how/if this can be fixed. See the DKMS file,debian/lkrg-dkms.dkms.

github.com

Kicksecure/lkrg/blob/master/debian/lkrg-dkms.dkms

PACKAGE_NAME="lkrg"
PACKAGE_VERSION="#MODULE_VERSION#"
#BUILT_MODULE_LOCATION[0]="output"
BUILT_MODULE_NAME[0]="lkrg"
DEST_MODULE_LOCATION[0]="/updates/dkms"
DEST_MODULE_NAME[0]="lkrg"
REMAKE_INITRD="no"
AUTOINSTALL="yes"

MAKE[0]="make -C ${kernel_source_dir} M=${dkms_tree}/${PACKAGE_NAME}/${PACKAGE_VERSION}/build"
CLEAN="make -C ${kernel_source_dir} M=${dkms_tree}/${PACKAGE_NAME}/${PACKAGE_VERSION}/build clean"

Then feel free to compare with this with other DKMS files.

Try:

sudo dkms status

Also interesting:

/var/lib/dpkg/info/lkrg-dkms.postinst

sudo sh -x /var/lib/dpkg/info/lkrg-dkms.postinst configure

Reveals what is required to debug further:

sudo sh -x /usr/lib/dkms/common.postinst lkrg 0.8.1 /usr/share/lkrg-dkms

The latter shows how list of kernels is generated. (Runs as root.)

KERNELS=$(ls /lib/modules/ 2>/dev/null || true)

Try this command.

sudo ls /lib/modules/

Perhaps apparmor-profile-everything or other issue which messes up setting of KERNELS? xtrace of /usr/lib/dkms/common.postinst might reveal that.

For me it builds modules for all installed kernel versions. I guess that is the default.

Dunno if DKMS in Debian only works for APT installed kernels but we’re already talking only about APT installed kernels here.

/etc/dkms/framework.conf

## Automatic installation and upgrade for all installed kernels (if set to a
## non-null value)
# autoinstall_all_kernels=""

Quote Bug #1844805 “virtualbox, virtualbox-dkms, virtualbox-qt fail du...” : Bugs : ubuntu-release-upgrader package : Ubuntu

I see there’s one caveat, the autoinstall_all_kernels variable in /etc/dkms/framework.conf can be set to build for all installed kernels, not just the current and newest. But the default is to build only for current and newest.

madaidan · December 21, 2020, 9:46pm

They’re interchangeable and neither work on the second kernel while both work on the first.

Yes.

I compiled hardened-kernel manually and installed it via dpkg -i. I don’t think that would be classified as an “APT installed kernel”. hardened-kernel is the 4.19.122 one.

Setting

autoinstall_all_kernels="yes"

fixed it.

madaidan · January 12, 2021, 12:34am

github.com/anthraxx/linux-hardened

LKRG in-tree @ 1ab4d32f6e20dec8ac7fa029

anthraxx:5.4 ← sempervictus:feature/lkrg_in-tree

opened 09:19PM - 09 Jan 21 UTC

sempervictus

+20319 -313

"LKRG performs runtime integrity checking of the Linux kernel and detection of …security vulnerability exploits against the kernel." - from the LKRG website (https://www.openwall.com/lkrg/) In practice, this is a kernel-mode rootkit working to validate the runtime integrity of the kernel into which it loads instead of subverting it. It leverages its ring0 position to try and perform detection of malicious activity and provides several presets for runtime configuration as well as granular sysctls to fine-tune operation. Generated using openwall/lkrg/blob/main/scripts/copy-builtin.sh, which should be used to refresh the source tree every once in a while as LKRG is under active development. Background/commits for the script in openwall/lkrg/pull/31. Testing (on the 5.4 branch): Weeks of abuse on loaded systems running various test suites. Currently runs in production on dozens of systems serving KVM, container, storage (ZFS, iSCSI), and networking functions. Our kernels build-in a ton of out-of-tree code, covering xtables, LVS, PF_RING, and other projects - we've not seen any issues with those in our testing/usage either.

Patrick · April 15, 2021, 8:36am

v0.9.0 was released.

https://www.openwall.com/lists/announce/2021/04/12/1

But not signed as previous releases. Perhaps because release this time was made by Solar Designer, not Adam.

Waiting for reply before pushing upgrade.

Patrick · April 29, 2021, 2:27pm

v.0.9.1 was released.

Debian packaging that was merged upstream unfortunately “broke” [1] virtualization host software support.

github.com/lkrg-org/lkrg

VirtualBox host software compatibility

opened 02:25PM - 29 Apr 21 UTC

adrelanos

enhancement

Could you please consider either, **A)** introducing a loader which sets the …required lkrg module parameters to be compatible with the VirtualBox host software Example loader: https://github.com/Whonix/lkrg/blob/old-master/debian/lkrg-loader OR, **B)** a more sophisticated solution Quote @solardiz https://github.com/openwall/lkrg/pull/68#issuecomment-823252264 > > Is there a (strong) technical reason to have this inside LKRG itself and not in a loader script? > > Another reason is what condition we check. Right now, Whonix' loader script checks whether VirtualBox is installed, not whether it's in use. This makes sense if the check is only done proactively and only once. LKRG itself could instead check for VirtualBox host's module being inserted into the kernel, so it'd only weaken LKRG protection if and when this happens. Optionally, it could also revert the weakening when the module is removed from the kernel. ---- ``` if command -v vboxmanage &>/dev/null ; then ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32 ## https://www.openwall.com/lists/lkrg-users/2020/01/24/2 ## https://www.openwall.com/lists/lkrg-users/2020/01/25/2 lkrg_opts="msr_validate=0 pcfi_validate=1 $lkrg_opts" elif command -v kvm &>/dev/null ; then ## Adam: ## For other hypervisors like KVM/qemu you can keep pcfi_validate=2 and only set ## msr_validate=0 (This hypervisor don't do such nasty calls like VirtualBox). lkrg_opts="msr_validate=0 $lkrg_opts" ## check if there is any binary in /usr/bin matching 'qemu*' elif dpkg-query --show "qemu-system" &>/dev/null ; then lkrg_opts="msr_validate=0 $lkrg_opts" fi ```

[1] Not a real regression since upstream never merged Debian packaging beforehand.

Patrick · July 25, 2021, 5:26pm

Patrick · July 25, 2021, 5:26pm

github.com/lkrg-org/lkrg

Debian buster packaging compatibility

lkrg-org:main ← Kicksecure:debian-packaging-buster-fix

opened 03:58PM - 24 Jul 21 UTC

adrelanos

+2 -2

Fixes this issue when building with cowbuilder on Debian buster. ``` The fol…lowing packages have unmet dependencies: pbuilder-satisfydepends-dummy : Depends: debhelper-compat (= 13) which is a virtual package, provided by: - debhelper (12.1.1) provides debhelper-compat=12, but 12.1.1 is installed - debhelper (12.1.1) provides debhelper-compat=11, but 12.1.1 is installed - debhelper (12.1.1) provides debhelper-compat=10, but 12.1.1 is installed - debhelper (12.1.1) provides debhelper-compat=9, but 12.1.1 is installed Unable to resolve dependencies! Giving up... ```

github.com/lkrg-org/lkrg

fix path to /etc/sysctl.d/30-lkrg-dkms.conf

lkrg-org:main ← adrelanos:patch-3

opened 03:49PM - 25 Jul 21 UTC

adrelanos

+13 -13

https://github.com/openwall/lkrg/blob/main/debian/rules#L22 install [`scripts/bo…otup/lkrg.conf`](https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf) it to `/etc/sysctl.d/30-lkrg-dkms.conf`. (The prefix `30-lkrg` seems right for a `d.` directory, i.e. for `/etc/sysctl.d/`.) Not to `/etc/sysctl.d/lkrg.conf` as referenced in [`scripts/bootup/systemd/lkrg.service`](https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service). So in order to fix the Debian package (make LKRG work after installation) some change is required. Currently this issue is happening: ``` user@localhost:~$ sudo systemctl status lkrg ``` ``` ● lkrg.service - Linux Kernel Runtime Guard Loaded: loaded (/lib/systemd/system/lkrg.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sun 2021-07-25 15:40:37 UTC; 4s ago Process: 5539 ExecStart=/sbin/modprobe -v p_lkrg (code=exited, status=0/SUCCESS) Process: 5540 ExecStartPost=/sbin/sysctl -p /etc/sysctl.d/lkrg.conf (code=exited, status=255/EXCEPTION) Main PID: 5539 (code=exited, status=0/SUCCESS) Jul 25 15:40:37 localhost.localdomain systemd[1]: Starting Linux Kernel Runtime Guard... Jul 25 15:40:37 localhost.localdomain sysctl[5540]: sysctl: cannot open "/etc/sysctl.d/lkrg.conf": No such file or directory Jul 25 15:40:37 localhost.localdomain systemd[1]: lkrg.service: Control process exited, code=exited, status=255/EXCEPTION Jul 25 15:40:37 localhost.localdomain systemd[1]: lkrg.service: Failed with result 'exit-code'. Jul 25 15:40:37 localhost.localdomain systemd[1]: Failed to start Linux Kernel Runtime Guard. ``` Issue being `sysctl: cannot open "/etc/sysctl.d/lkrg.conf": No such file or directory`.

github.com/lkrg-org/lkrg

LKRG Debian package - systemd unit does not automatically start - lkrg.service is a disabled or a static unit, not starting it.

opened 03:53PM - 25 Jul 21 UTC

closed 01:36AM - 21 Dec 21 UTC

adrelanos

wontfix

> sudo apt install lkrg ``` ... Setting up lkrg (0.9.1-3) ... Setting up lkr…g-systemd (0.9.1-3) ... lkrg.service is a disabled or a static unit, not starting it. ``` It requires a manual `sudo systemctl enable lkrg` and reboot or `sudo systemctl start lkrg`. I am wondering, why does it do that? The Debian default is to enable systemd units after installation.

github.com/lkrg-org/lkrg

Debian package DKMS fails to update LKRG kernel modules during Linux kernel upgrade

opened 05:10PM - 25 Jul 21 UTC

closed 05:14AM - 27 Jul 21 UTC

adrelanos

``` user@localhost:~$ sudo apt install lkrg Reading package lists... Done Bui…lding dependency tree Reading state information... Done The following additional packages will be installed: lkrg-dkms lkrg-systemd The following NEW packages will be installed: lkrg lkrg-dkms lkrg-systemd 0 upgraded, 3 newly installed, 0 to remove and 33 not upgraded. Need to get 0 B/120 kB of archives. After this operation, 941 kB of additional disk space will be used. Do you want to continue? [Y/n] y Selecting previously unselected package lkrg-dkms. (Reading database ... 78435 files and directories currently installed.) Preparing to unpack .../lkrg-dkms_0.9.1-3_all.deb ... Unpacking lkrg-dkms (0.9.1-3) ... Selecting previously unselected package lkrg. Preparing to unpack .../archives/lkrg_0.9.1-3_all.deb ... Unpacking lkrg (0.9.1-3) ... Selecting previously unselected package lkrg-systemd. Preparing to unpack .../lkrg-systemd_0.9.1-3_all.deb ... Unpacking lkrg-systemd (0.9.1-3) ... Setting up lkrg-dkms (0.9.1-3) ... Loading new lkrg-0.9.1 DKMS files... Building for 4.19.0-17-amd64 Building initial module for 4.19.0-17-amd64 Done. p_lkrg.ko: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/4.19.0-17-amd64/updates/dkms/ do_depmod 4.19.0-17-amd64 DKMS: install completed. Setting up lkrg (0.9.1-3) ... Setting up lkrg-systemd (0.9.1-3) ... lkrg.service is a disabled or a static unit, not starting it. user@localhost:~$ ``` ``` user@localhost:~$ sudo apt install linux-headers-4.19.0-17-amd64 linux-image-4.19.0-17-amd64 Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: linux-headers-4.19.0-17-common linux-kbuild-4.19 Suggested packages: linux-doc-4.19 debian-kernel-handbook Recommended packages: firmware-linux-free The following packages will be upgraded: linux-headers-4.19.0-17-amd64 linux-headers-4.19.0-17-common linux-image-4.19.0-17-amd64 linux-kbuild-4.19 4 upgraded, 0 newly installed, 0 to remove and 29 not upgraded. Need to get 0 B/58.7 MB of archives. After this operation, 4,096 B of additional disk space will be used. Do you want to continue? [Y/n] (Reading database ... 78687 files and directories currently installed.) Preparing to unpack .../linux-headers-4.19.0-17-amd64_4.19.194-3_amd64.deb ... Unpacking linux-headers-4.19.0-17-amd64 (4.19.194-3) over (4.19.194-2) ... Preparing to unpack .../linux-headers-4.19.0-17-common_4.19.194-3_all.deb ... Unpacking linux-headers-4.19.0-17-common (4.19.194-3) over (4.19.194-2) ... Preparing to unpack .../linux-kbuild-4.19_4.19.194-3_amd64.deb ... Unpacking linux-kbuild-4.19 (4.19.194-3) over (4.19.194-2) ... Preparing to unpack .../linux-image-4.19.0-17-amd64_4.19.194-3_amd64.deb ... Unpacking linux-image-4.19.0-17-amd64 (4.19.194-3) over (4.19.194-2) ... Setting up linux-kbuild-4.19 (4.19.194-3) ... Setting up linux-image-4.19.0-17-amd64 (4.19.194-3) ... /etc/kernel/postinst.d/30_remove-system-map: Deleting system.map files... removed '/boot/System.map-4.19.0-17-amd64' Done. Success. /etc/kernel/postinst.d/initramfs-tools: update-initramfs: Generating /boot/initrd.img-4.19.0-17-amd64 cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries nor crypto modules. If that's on purpose, you may want to uninstall the 'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs integration and avoid this warning. live-boot: core filesystems devices utils udev blockdev dns. /etc/kernel/postinst.d/zz-update-grub: Generating grub configuration file ... Found linux image: /boot/vmlinuz-4.19.0-17-amd64 Found initrd image: /boot/initrd.img-4.19.0-17-amd64 Found linux image: /boot/vmlinuz-4.19.0-17-amd64 Found initrd image: /boot/initrd.img-4.19.0-17-amd64 done Setting up linux-headers-4.19.0-17-common (4.19.194-3) ... Setting up linux-headers-4.19.0-17-amd64 (4.19.194-3) ... user@localhost:~$ ```

Patrick · August 1, 2021, 5:43pm

Patrick · August 1, 2021, 5:44pm

LKRG 0.9.1 is now available in Whonix testers repository.

Linux Kernel Runtime Guard (LKRG) for Debian, Whonix, Qubes, Kicksecure ™ was also updated.

Patrick · August 21, 2021, 10:27am

Patrick · January 15, 2022, 6:08pm

LKRG 0.9.2 was uploaded to the testers repository just now.

Patrick · February 22, 2022, 8:34am

Now in all repositories.

VirtualBox host software compatibility · Issue #82 · lkrg-org/lkrg · GitHub

Patrick · February 26, 2022, 9:09am

github.com/lkrg-org/lkrg

Crash when computing IDT hash in old Xen PV guest

opened 12:37PM - 17 Feb 22 UTC

closed 01:18AM - 24 Feb 22 UTC

solardiz

bug

We might not care as the issue does not affect currently supported Qubes, but th…is _might_ be our bug/shortcoming affecting other systems as well, so to have it documented for later: Trying to load LKRG on (no longer supported) Qubes 3.x paravirtualized kernels in a Xen VM, based on Linux 4.9.x or 4.14.x, instantly crashes in `p_lkrg_fast_hash`. The backtraces vary - sometimes go from `init_module`, other times in interrupt context. The issue is present in current LKRG, but it's reproducible just the same even on LKRG 0.0 (although to build versions 0.4 and below for this test, I had to add a missing `#include` line - fixed in 0.5+). On Qubes OS 4.1 with a 5.10.x based kernel, also running paravirtualized, there's no issue - LKRG loads and appears to work just fine (except that it fails to locate `lookup_fast`, so `LKRG won't enforce pCFI validation on 'lookup_fast'`). For example, here's the log for current LKRG on a 4.9.x kernel: ``` [ 99.197541] [p_lkrg] Loading LKRG... [ 99.197561] [p_lkrg] System does NOT support SMEP. LKRG can't enforce SMEP validation :( [ 99.197575] [p_lkrg] System does NOT support SMAP. LKRG can't enforce SMAP validation :( [ 99.200423] Freezing user space processes ... (elapsed 0.016 seconds) done. [ 99.691510] [p_lkrg] [kretprobe] register_kretprobe() for <ovl_create_or_link> failed! [err=-2] [ 99.691535] [p_lkrg] Can't hook 'ovl_create_or_link' function. This is expected if you are not using OverlayFS. [ 99.847945] BUG: unable to handle kernel paging request at ffff83035295e000 [ 99.847968] IP: [<ffffffffc00ff30a>] p_lkrg_fast_hash+0x7a/0x210 [p_lkrg] [ 99.848004] PGD 62 [ 99.848005] PUD 0 [ 99.848005] [ 99.848005] Oops: 0001 [#1] SMP [ 99.848005] Modules linked in: p_lkrg(O+) fuse ip6table_filter ip6_tables xt_conntrack ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack intel_rapl x86_pkg_temp_thermal coretemp xen_netfront crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcspkr dummy_hcd udc_core xenfs xen_blkback xen_privcmd u2mfn(O) xen_blkfront [ 99.848005] CPU: 0 PID: 2469 Comm: insmod Tainted: G O 4.9.56-21.pvops.qubes.x86_64 #1 [ 99.848005] task: ffff88008eb29d80 task.stack: ffffc900022e4000 [ 99.848005] RIP: e030:[<ffffffffc00ff30a>] [<ffffffffc00ff30a>] p_lkrg_fast_hash+0x7a/0x210 [p_lkrg] [ 99.848005] RSP: e02b:ffffc900022e7b20 EFLAGS: 00010087 [ 99.848005] RAX: 76babb3a016df97c RBX: 0000000000000000 RCX: 0722faec0df5344b [ 99.848005] RDX: 66b0ad39167df362 RSI: 0000000000000000 RDI: ffff83035295e000 [ 99.848005] RBP: ffffc900022e7b40 R08: 744d97897d86513e R09: ffff83035295e000 [ 99.848005] R10: ffff88009d361400 R11: ffff83035295f000 R12: 1834f0ec13e3235f [ 99.848005] R13: ffffffffc0133000 R14: ffffffffc0128050 R15: 0000000000000001 [ 99.848005] FS: 0000706f65f09700(0000) GS:ffff880015000000(0000) knlGS:ffff880015000000 [ 99.848005] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 99.848005] CR2: ffff83035295e000 CR3: 00000000ab34f000 CR4: 0000000000042660 [ 99.848005] Stack: [ 99.848005] ffff880015018ff0 a0d8c2d23dd47253 ffff88009d361400 0000000000000000 [ 99.848005] ffffc900022e7b90 ffffffffc0108a30 a0d8c2d23dd47253 ffff880015018f80 [ 99.848005] ffff88008eb29d80 ffff83035295e000 a0d8c2d23dd47253 0000000080050033 [ 99.848005] Call Trace: [ 99.848005] [<ffffffffc0108a30>] p_dump_x86_metadata+0x70/0x520 [p_lkrg] [ 99.848005] [<ffffffffc0133000>] ? 0xffffffffc0133000 [ 99.848005] [<ffffffffc010912d>] p_dump_CPU_metadata+0xdd/0x1b0 [p_lkrg] [ 99.848005] [<ffffffff8112191f>] generic_exec_single+0xaf/0x120 [ 99.848005] [<ffffffffc010a15f>] ? p_create_database+0x7f/0x460 [p_lkrg] [ 99.848005] [<ffffffffc0109050>] ? p_uninstall_switch_idt_hook+0x80/0x80 [p_lkrg] [ 99.848005] [<ffffffff81121a5c>] smp_call_function_single+0xcc/0x130 [ 99.848005] [<ffffffff8122081d>] ? __kmalloc+0x16d/0x210 [ 99.848005] [<ffffffffc010a1e6>] p_create_database+0x106/0x460 [p_lkrg] [ 99.848005] [<ffffffffc013346c>] p_lkrg_register+0x46c/0x1000 [p_lkrg] [ 99.848005] [<ffffffffc0133000>] ? 0xffffffffc0133000 [ 99.848005] [<ffffffff81002190>] do_one_initcall+0x50/0x190 [ 99.848005] [<ffffffff811bc5bf>] ? free_hot_cold_page+0x1af/0x2b0 [ 99.848005] [<ffffffff8121f37a>] ? kmem_cache_alloc_trace+0xea/0x1d0 [ 99.848005] [<ffffffff811b230f>] ? do_init_module+0x27/0x1ee [ 99.848005] [<ffffffff811b2347>] do_init_module+0x5f/0x1ee [ 99.848005] [<ffffffff81127ed6>] load_module+0x1766/0x1b30 [ 99.848005] [<ffffffff811248b0>] ? __symbol_put+0x60/0x60 [ 99.848005] [<ffffffff8112850f>] SYSC_finit_module+0xdf/0x110 [ 99.848005] [<ffffffff8112855e>] SyS_finit_module+0xe/0x10 [ 99.848005] [<ffffffff817e1037>] entry_SYSCALL_64_fastpath+0x1a/0xa9 [ 99.848005] Code: b8 73 65 74 79 62 64 65 74 48 b9 75 65 73 70 65 6d 6f 73 48 c1 e3 38 4c 31 c8 4d 31 c4 4c 31 ca 4c 31 c1 4c 39 df 74 61 49 89 f9 <4d> 8b 11 41 b8 02 00 00 00 4c 31 d0 48 01 d1 49 01 c4 48 c1 c2 [ 99.848005] RIP [<ffffffffc00ff30a>] p_lkrg_fast_hash+0x7a/0x210 [p_lkrg] [ 99.848005] RSP <ffffc900022e7b20> [ 99.848005] CR2: ffff83035295e000 ```

Patrick · May 25, 2022, 2:07pm

LKRG 0.9.3 now in testers repository.

theoden8 · February 14, 2023, 1:58am

Linux 6.1 removes get_random_int, see github/lkrg issue 233
This was fixed for 0.9.6 with patch github/lkrg commit 2241a322316be645eb51b12bc530554bd96a77b6

Patrick · February 23, 2023, 1:17pm

LKRG 0.9.6 now in testers repository.

Patrick · November 10, 2023, 8:49pm

Patrick · November 10, 2023, 9:05pm

neo0xff · November 14, 2023, 12:03am

After some research it appears that while yes LKRG does provide good integrity, it it’s self does increase attack surface and some people raised some concerns over it.

Patrick · February 18, 2024, 10:19am

news, see this link for more information:
LKRG Deprecation in Kicksecure