TCP ISN CPU Information Leak Protection - tirdad

2 Likes

https://github.com/0xsirus/tirdad/pull/2

1 Like

Packing is done. Available from all Whonix repositories. Testers wanted! To install:

sudo apt update
sudo apt install tirdad

Description and package source code:

1 Like

Comparing 0.1.1-1...0.1.2-1 路 Kicksecure/tirdad 路 GitHub

1 Like
2 Likes

Why should tirdad be loaded as early as possible? Currently tirdad is loaded before networking comes up through systemd-modules-load.service.

3 Likes

Verified in the logs, it shows tirdad loads before sysinit. This is long before even networking-pre is reached. Systemd begins, and then almost immediately after, tirdad (and a few other modules) are inserted.
Since tirdad鈥檚 sole concern is the randomization of the ISN, as long as it starts before a network connection is established there is no issue (which it does) I do not think having it start any earlier than it does gives any advantage or benefit.

3 Likes

Just to make sure TCP ISNs are always random no matter what.

Root could undo that though which isn鈥檛 good for untrusted root.

1 Like

Also, compiling tirdad in the kernel source tree will cause the module to be signed with CONFIG_MODULE_SIG_ALL so we don鈥檛 need any dkms hooks for it or anything.

Or, compiling it as built-in will make it not need to be signed at all.

If the same can be done for LKRG, only vbox additions will be left.

1 Like

Root might indeed install some package which then breaks
systemd-modules-load.service or something.

1 Like
1 Like

There is a minor issue, unwanted confusing error message related to systemd-modules-load.service / /usr/lib/modules-load.d/30_tirdad.conf.

Setting up linux-image-4.19.0-8-amd64 (4.19.98-1) 鈥
I: /vmlinuz is now a symlink to boot/vmlinuz-4.19.0-8-amd64
I: /initrd.img is now a symlink to boot/initrd.img-4.19.0-8-amd64
/etc/kernel/postinst.d/30_remove-system-map:
Deleting system.map files鈥
removed 鈥/boot/System.map-4.19.0-8-amd64鈥
Done. Success.
/etc/kernel/postinst.d/dkms:
Job for systemd-modules-load.service failed because the control process exited with error code.
See 鈥渟ystemctl status systemd-modules-load.service鈥 and 鈥渏ournalctl -xe鈥 for details.
Job for systemd-modules-load.service failed because the control process exited with error code.
See 鈥渟ystemctl status systemd-modules-load.service鈥 and 鈥渏ournalctl -xe鈥 for details.

After APT finished however tirdad is properly installed and systemd-modules-load.service status is OK too.

It is this DKMS bug:

Added a comment:

Revert "Make newly installed modules available immediately" by seblu 路 Pull Request #27 路 dell/dkms 路 GitHub

2 Likes
2 Likes