make Linux Kernel Runtime Guard (LKRG) easily available in Qubes

[adrelanos]

The problem you're addressing (if any)
Yet unknown, upcoming kernel vulnerabilities.

Describe the solution you'd like
Linux Kernel Runtime Guard (LKRG)

Where is the value to a user, and who might that user be?
LKRG improves the security of the kernel. Therefore makes VM escapes harder.

The main argument for LKRG being: it renders whole classes of kernel exploits ineffective, makes other exploits less reliable / more difficult to write. LKRG was developed by a security professional with review from other high profile security professionals. References for that, you can read more about LKRG here:
https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG

Describe alternatives you've considered

There's no real alternative as far as I know, just hardening coming from different approaches.

• https://github.com/Whonix/apparmor-profile-everything
• https://github.com/Whonix/hardened-vm-kernel
• https://github.com/anthraxx/linux-hardened
• Package security-misc from Whonix to Qubes #1885

Related, non-duplicate issues

• cannot compile LKRG (Linux Kernel Runtime Guard) with Qubes dom0 kernel / broken gcc plugins structleak_plugin.so latent_entropy_plugin.so #5456
• kernel-devel package have broken gcc plugin #2844
• Simplify and promote using in-vm kernel #5212

---

• HowTo: Linux Kernel Runtime Guard (LKRG) in Qubes OS Debian or Qubes-Whonix ™ VMs
• HowTo: Build the Linux Kernel Runtime Guard (LKRG) Debian Package from Source Code
• Upstream is supportive. Links to communications with upstream, LKRG Debian packaging progress and development discussion can be found here.
• Qubes status:
  • Works for me in Qubes Debian buster template with VM kernel. (Simplify and promote using in-vm kernel #5212)
  • Does not compile yet for me Qubes Debian buster template with dom0 kernel. Probably due to cannot compile LKRG (Linux Kernel Runtime Guard) with Qubes dom0 kernel / broken gcc plugins structleak_plugin.so latent_entropy_plugin.so #5456 / kernel-devel package have broken gcc plugin #2844. This might be fixed after upgrades.
  • Fedora templates / dom0 untested.

Might be prudent to make this an optionally installable package at first. Then encourage wider testing. If all goes well, installation by default could be considered.

[adrelanos]

Packaging completed. Binary deb packages exist. Above post updated.

• HowTo: Linux Kernel Runtime Guard (LKRG) in Qubes OS Debian or Qubes-Whonix ™ VMs
• HowTo: Build the Linux Kernel Runtime Guard (LKRG) Debian Package from Source Code

[fepitre]

If it helps, I can do the Fedora side of packaging and testing.

[adrelanos]

Yes, sure.

[fepitre]

If you don't mind, I'm just assigning myself for tracking the issue for this part of the work.

[adrelanos]

I am OK with that. For me, anything that moves this forward. :) (But I am not a github admin.)

[fepitre]

@adrelanos I've loaded the module into one of my Fedora based qube. Is there any particular tests I can execute to validate it works as expected? Maybe some malicious attacks or such?

[adrelanos]

I am not an expert for LKRG. Just a packager. I'd suggest to look that up upstream.

[fepitre]

@marmarek I was thinking to do like dummy-psu or dummy-backlight, having a separate component that would be built for templates (really straightforward) but including it as a submodule for linux-kernel without loading it by default. What do you think?

[DemiMarie]

This would be an especially good fit for KVM-based Qubes OS.

[marmarek]

@marmarek I was thinking to do like dummy-psu or dummy-backlight, having a separate component that would be built for templates (really straightforward) but including it as a submodule for linux-kernel without loading it by default. What do you think?

Yes, I think that is a good idea. It makes it easier accessible when someone wants to use it.

[fepitre]

I've prepared a Fedora version here: fepitre/fedora-lkrg@8ec1918. I'm waiting feedback from Fedora/RPMFusion people if they are interested to have it directly in their repositories.

[TommyTran732]

@fepitre It has been awhile now... did they give you any feedback?

[fepitre]

@fepitre It has been awhile now... did they give you any feedback?

Yes, it's just me lacking time to go into the whole integration process for a new package etc. I also would like to have more feedback from Fedora user people than just packaging it for one person. I'll update to the latest version and build it with COPR soon.

[TommyTran732]

Awesome!

[fepitre]

I've built a COPR repo with version 0.9.3 https://copr.fedorainfracloud.org/coprs/fepitre/lkrg/. You can install it by doing in a Fedora VM:

$ sudo dnf copr enable fepitre/lkrg
$ sudo dnf install lkrg-kmod

You may wait few secs and then

$ sudo systemctl start lkrg

Try systemctl restart if it fails the first time.

[andrewdavidwong]

I've built a COPR repo with version 0.9.3 https://copr.fedorainfracloud.org/coprs/fepitre/lkrg/. You can install it by doing in a Fedora VM: [...]

@fepitre, does this mean that this issue is complete?

[fepitre]

Not completely. For now, I can either provide it by maintaining it on a COPR repository or submitting on rpmfusion repositories but the latter needs me more time to get on review process. That's the Fedora case. For Debian, we need to provide it so I guess we can package the whole as usual for both. @marmarek what do you think?

[TommyTran732]

@fepitre Do you mind bumping the LKRG version on the COPR? It is a couple versions behind now :)

[fepitre]

@fepitre Do you mind bumping the LKRG version on the COPR? It is a couple versions behind now :)

Sure. How things are going on Fedora with it?

[TommyTran732]

@fepitre Do you mind bumping the LKRG version on the COPR? It is a couple versions behind now :)

Sure. How things are going on Fedora with it?

It works okay, though annoyingly dnf copr does not automatically get proxied through http://127.0.0.1:8082 in the template VM

[fepitre]

It's updated.