Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increased kernel hardening at boot #111

Merged
merged 21 commits into from Jul 23, 2022
Merged

Increased kernel hardening at boot #111

merged 21 commits into from Jul 23, 2022

Conversation

raja-grewal
Copy link
Contributor

@raja-grewal raja-grewal commented Jul 12, 2022
edited

Please refer to the existing discussion beginning at:
https://forums.whonix.org/t/kernel-hardening/7296/465

In summary:

  • Include mitigations by default against 2 additional known hardware-level CPU vulnerabilities (L1D Flushing and MMIO Stale Data).
  • Force the kernel to panic on "oopses"
  • Enforce IOMMU TLB invalidation
  • Distrust the bootloader as source of entropy
  • Enables randomisation of the kernel stack offset on syscall entries
  • Disables slub_debug due to kernel deciding to implicitly disable kernel pointer hashing
  • Explicitly highlight a few existing sysctl defaults

@raja-grewal
enforce default kernel.randomize_va_space
dabcaf2
@raja-grewal
enforce default net.ipv4.icmp_ignore_bogus_error_responses
7915626
@raja-grewal
enforce defualt net.ipv4.ip_forward
57b5b21
@raja-grewal
disable slub_debug
f572332
@raja-grewal
enable randomize_kstack_offset
74858d2
@raja-grewal
add reference
d0779a9
@raja-grewal
disables random.trust_bootloader
33df16a
@raja-grewal
enforce of IOMMU TLB invalidation
a47922a
@raja-grewal
Revert "enforce defualt net.ipv4.ip_forward"
4e93b4d 
This reverts commit 57b5b21.
@raja-grewal
Update README.md
2b23703
@raja-grewal
Merge branch 'Kicksecure:master' into harden
c4a1094
@raja-grewal
enforce default net.ipv6.icmp_ignore_bogus_error_responses
c77a2a7
@raja-grewal
delete repeated commands
bb831d5
@raja-grewal
Merge branch 'harden' of https://github.com/raja-grewal/security-misc
39314b2 
…into harden
@raja-grewal
shuffle and rewording
73f1e23
@raja-grewal
CPU mitigation - SRBDS
8531fbf
@raja-grewal
CPU mitigation - L1D FLushing
59e90ff
@raja-grewal
CPU mitigation - MMIO Stale Data
c3ebb91
@raja-grewal
update SRBDS mitigation
bfd78a2
@raja-grewal
update details around disabling SMT
1660aaa
@raja-grewal
force kernel to panic on "oopses"
ca764d8
adrelanos
adrelanos reviewed Jul 19, 2022
View reviewed changes
etc/default/grub.d/40_kernel_hardening.cfg
@@ -53,3 +53,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
## https://lkml.org/lkml/2020/7/16/122
## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"

## Force the kernel to panic on "oopses" (which may be due to false positives)
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this already implemented?
See:
/usr/libexec/security-misc/panic-on-oops

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True I am considering removing the existing implementation as I believe setting it the beginning of the boot process may be more secure?

This way we do not have to rely on the configuration files being read by a user space service.

https://github.com/torvalds/linux/blob/97e9c8eb4bb1dc57859acb1338dfddbd967d7484/Documentation/admin-guide/kernel-parameters.txt#L5681-L5688
https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there was a specific reason why it's done as currently implemented and not as kernel command line. That's a while ago since I last re-read this discussion:
https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713

Could you have a look please?

@adrelanos adrelanos merged commit bfe6b88 into Kicksecure:master Jul 23, 2022
@raja-grewal raja-grewal deleted the harden branch July 25, 2022 08:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adrelanos adrelanos adrelanos left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@raja-grewal @adrelanos