New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make Linux Kernel Runtime Guard (LKRG) easily available in Qubes #5461
Comments
Packaging completed. Binary deb packages exist. Above post updated. |
If it helps, I can do the Fedora side of packaging and testing. |
Yes, sure. |
If you don't mind, I'm just assigning myself for tracking the issue for this part of the work. |
I am OK with that. For me, anything that moves this forward. :) (But I am not a github admin.) |
@adrelanos I've loaded the module into one of my Fedora based qube. Is there any particular tests I can execute to validate it works as expected? Maybe some malicious attacks or such? |
I am not an expert for LKRG. Just a packager. I'd suggest to look that up upstream. |
@marmarek I was thinking to do like |
This would be an especially good fit for KVM-based Qubes OS. |
Yes, I think that is a good idea. It makes it easier accessible when someone wants to use it. |
I've prepared a Fedora version here: fepitre/fedora-lkrg@8ec1918. I'm waiting feedback from Fedora/RPMFusion people if they are interested to have it directly in their repositories. |
@fepitre It has been awhile now... did they give you any feedback? |
Yes, it's just me lacking time to go into the whole integration process for a new package etc. I also would like to have more feedback from Fedora user people than just packaging it for one person. I'll update to the latest version and build it with COPR soon. |
Awesome! |
I've built a COPR repo with version 0.9.3 https://copr.fedorainfracloud.org/coprs/fepitre/lkrg/. You can install it by doing in a Fedora VM:
You may wait few secs and then
Try systemctl restart if it fails the first time. |
@fepitre, does this mean that this issue is complete? |
Not completely. For now, I can either provide it by maintaining it on a COPR repository or submitting on rpmfusion repositories but the latter needs me more time to get on review process. That's the Fedora case. For Debian, we need to provide it so I guess we can package the whole as usual for both. @marmarek what do you think? |
@fepitre Do you mind bumping the LKRG version on the COPR? It is a couple versions behind now :) |
Sure. How things are going on Fedora with it? |
It works okay, though annoyingly |
It's updated. |
The problem you're addressing (if any)
Yet unknown, upcoming kernel vulnerabilities.
Describe the solution you'd like
Linux Kernel Runtime Guard (LKRG)
Where is the value to a user, and who might that user be?
LKRG improves the security of the kernel. Therefore makes VM escapes harder.
The main argument for LKRG being: it renders whole classes of kernel exploits ineffective, makes other exploits less reliable / more difficult to write. LKRG was developed by a security professional with review from other high profile security professionals. References for that, you can read more about LKRG here:
https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG
Describe alternatives you've considered
There's no real alternative as far as I know, just hardening coming from different approaches.
Related, non-duplicate issues
Might be prudent to make this an optionally installable package at first. Then encourage wider testing. If all goes well, installation by default could be considered.
The text was updated successfully, but these errors were encountered: