Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DRAFT : Proposed kernel configuration improvements to enhance security #1816

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

aluciani
Copy link

I was looking at heads' kernel config (for nitropad-nv41 in my case), and I thought there might be some options that would be worth changing (“y”->“is not set”, “is not set”->“y” and some literal values).
This idea comes to me from a13xp0p0v's project kernel-hardening-checker, which aims to verify the security of a linux kernel. It's true that this project is more for server or desktop linux, but I think some options could be useful in the case of head.
I'm talking about the following options:
From "y" to "is not set" :

CONFIG_SLAB_MERGE_DEFAULT
CONFIG_MODULES
CONFIG_DEVMEM
CONFIG_LDISC_AUTOLOAD
CONFIG_FB
CONFIG_VT
CONFIG_DEVPORT
CONFIG_IO_URING
CONFIG_KCMP
~CONFIG_X86_IOPL_IOPERM //"needed by flashrom"
CONFIG_ACPI_TABLE_UPGRADE
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS
~CONFIG_MAGIC_SYSRQ // "sysrq for safe belts" 
~CONFIG_MAGIC_SYSRQ_SERIAL // "sysrq for safe belts"

From to "is not set" to "y" :

CONFIG_INIT_STACK_ALL_ZERO
CONFIG_DEBUG_WX
CONFIG_X86_KERNEL_IBT
CONFIG_BUG_ON_DATA_CORRUPTION
CONFIG_SLAB_FREELIST_HARDENED
CONFIG_SLAB_FREELIST_RANDOM
CONFIG_SHUFFLE_PAGE_ALLOCATOR
CONFIG_FORTIFY_SOURCE
CONFIG_DEBUG_SG
CONFIG_INIT_ON_ALLOC_DEFAULT_ON
CONFIG_SCHED_CORE
CONFIG_KFENCE
CONFIG_KFENCE_SAMPLE_INTERVAL
CONFIG_INIT_ON_FREE_DEFAULT_ON
CONFIG_EFI_DISABLE_PCI_DMA
CONFIG_GCC_PLUGIN_STACKLEAK
CONFIG_STACKLEAK_METRICS
CONFIG_STACKLEAK_RUNTIME_DISABLE
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT
CONFIG_PAGE_TABLE_CHECK
CONFIG_PAGE_TABLE_CHECK_ENFORCED
~CONFIG_HW_RANDOM_TPM //"uneeded" ?
CONFIG_CFI_AUTO_DEFAULT
CONFIG_SECCOMP

Literal values :

CONFIG_BLK_DEV_LOOP_MIN_COUNT: from "8" to "4"
CONFIG_KFENCE_SAMPLE_INTERVAL: from "0" to "100" #With CONFIG_KFENCE
CONFIG_ARCH_MMAP_RND_BITS: from "28" to "32"
CONFIG_NR_CPUS": from "32" to "24" //After speaking with TLaurion, it seems that 32 is a default value, so as not to bother (the board with the most CPUs would have 32 cores?), setting it to 32 is just for consistency and ease.

Please note that some options are changed automatically, but only after running the command “make BOARD=nitropad-nv41 linux.prompt_for_new_config_options_for_kernel_version_bump”.
This is a draft, so I haven't checked whether it's really a problem to change the GCC version, etc, at the moment.

I'm adding a mod.md file here, which lists all the modules and linux CONFIGs required for traceability.

obviously DO NOT merge

@aluciani aluciani changed the title first draft of a kernel configuration transformation test DRAFT : Proposed kernel configuration improvements to enhance security Oct 20, 2024
tlaurion added a commit to tlaurion/heads that referenced this pull request Oct 20, 2024
…atch for qemu board

Before commiting changes here, take nv41 linux config changes and save into patch file:
git diff > patch

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion added a commit to tlaurion/heads that referenced this pull request Oct 20, 2024
…g but flashrom

Apply previous patch:
patch config/linux-qemu.config patch

Apply changes:
docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) tlaurion/heads-dev-env:latest -- make BOARD=qemu-coreboot-whiptail-tpm1 linux.modify_and_save_oldconfig_in_place

Review changes, build:
docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) tlaurion/heads-dev-env:latest -- make BOARD=qemu-coreboot-whiptail-tpm1

Run:
docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) tlaurion/heads-dev-env:latest -- make BOARD=qemu-coreboot-whiptail-tpm1 run

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion
Copy link
Collaborator

@aluciani please review superseeding PR at #1817 (applied on top of 6.1.8 kernel config unifying branch, where you can only review config/linux-nitropad-x.config under that PR, commenting on lines of the config for easier review.

@tlaurion
Copy link
Collaborator

@aluciani as noted under CI, commits unsigned fail CI at https://github.com/linuxboot/heads/pull/1816/checks?check_run_id=31787361888

@tlaurion
Copy link
Collaborator

@aluciani this is nice exercise. Wondering if https://github.com/a13xp0p0v/kernel-hardening-checker should be added under nix docker image and some self-test should be added in CI in long term to make those checks automatic and warn of security regressions, somehow.

Note that final change on nv41 linux config file can be observed directly under https://github.com/linuxboot/heads/pull/1817/files#diff-782b88c1e0e03988fb8336bd99c65310869be9f3c1e3a88a1be57bcd5ab7c4e8

Signed-off-by: Antoine Luciani <97607910+aluciani@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants