TCP ISN CPU Information Leak Protection - tirdad

2 Likes

https://github.com/0xsirus/tirdad/pull/2

1 Like

Packing is done. Available from all Whonix repositories. Testers wanted! To install:

sudo apt update
sudo apt install tirdad

Description and package source code:

1 Like

Comparing 0.1.1-1...0.1.2-1 · Kicksecure/tirdad · GitHub

1 Like
2 Likes

Why should tirdad be loaded as early as possible? Currently tirdad is loaded before networking comes up through systemd-modules-load.service.

3 Likes

Verified in the logs, it shows tirdad loads before sysinit. This is long before even networking-pre is reached. Systemd begins, and then almost immediately after, tirdad (and a few other modules) are inserted.
Since tirdad’s sole concern is the randomization of the ISN, as long as it starts before a network connection is established there is no issue (which it does) I do not think having it start any earlier than it does gives any advantage or benefit.

3 Likes

Just to make sure TCP ISNs are always random no matter what.

Root could undo that though which isn’t good for untrusted root.

1 Like

Also, compiling tirdad in the kernel source tree will cause the module to be signed with CONFIG_MODULE_SIG_ALL so we don’t need any dkms hooks for it or anything.

Or, compiling it as built-in will make it not need to be signed at all.

If the same can be done for LKRG, only vbox additions will be left.

1 Like

Root might indeed install some package which then breaks
systemd-modules-load.service or something.

1 Like
1 Like

There is a minor issue, unwanted confusing error message related to systemd-modules-load.service / /usr/lib/modules-load.d/30_tirdad.conf.

Setting up linux-image-4.19.0-8-amd64 (4.19.98-1) …
I: /vmlinuz is now a symlink to boot/vmlinuz-4.19.0-8-amd64
I: /initrd.img is now a symlink to boot/initrd.img-4.19.0-8-amd64
/etc/kernel/postinst.d/30_remove-system-map:
Deleting system.map files…
removed ‘/boot/System.map-4.19.0-8-amd64’
Done. Success.
/etc/kernel/postinst.d/dkms:
Job for systemd-modules-load.service failed because the control process exited with error code.
See “systemctl status systemd-modules-load.service” and “journalctl -xe” for details.
Job for systemd-modules-load.service failed because the control process exited with error code.
See “systemctl status systemd-modules-load.service” and “journalctl -xe” for details.

After APT finished however tirdad is properly installed and systemd-modules-load.service status is OK too.

It is this DKMS bug:

Added a comment:

Revert "Make newly installed modules available immediately" by seblu · Pull Request #27 · dell/dkms · GitHub

2 Likes
2 Likes