-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardened profile may be setting unsuitable kernel parameters? #90704
Comments
I marked this as stale due to inactivity. → More info |
KSPP says
Additionally, use of |
I agree, there's lots of improvements that could be made here; most of the hardened kernel config is from back in the grsecurity days and out of date or even in some cases harmful (e.g. I meant to get to this years ago but at this point it seems unlikely I will any time soon. I'll try my best to review any PRs to improve the hardened profile's kernel config as I think it's an important part of its value-add. |
To elaborate on the above: the parameters (that were set by me, anyway) were based on KSPP recommendations at that time and assumed a vanilla kernel. If we are now using a hardened patchset it seems prudent to also rely on their config defaults. I see no particular reason to override them (and if that is needed we should probably try to change the hardened patchset upstream first). |
@8573 I'd be happy to accept a PR that updated the kernel parameters. I agree with your interpretation of "vanilla page poisoning" (I take it that the hardened patchset provides an alternative page sanitisation mechanism). I don't have bandwidth to keep up with what this patchset is doing, nor the pedigree of whatever non-vanilla mitigations the patchset provides. I think it makes sense to follow their config defaults and recommendations for parameters, if we are to use the patchset. |
Not only kconfig should be improved, but hardened kernel should also switch to being built with latest clang and its options like CFI which is supported on both x86_64 and aarch64. Another good tweak in hardened profile would be bind mounting everything as noexec except from |
With |
Describe the bug
nixpkgs/nixos/modules/profiles/hardened.nix
Lines 34 to 39 in fbb76f6
I don't know enough to say conclusively that this is a problem, but I see it said in anthraxx/linux-hardened#37 that the kernel parameters
slub_debug=P
andpage_poison=1
, which are set by the NixOS hardened profile, conflict with another parameter enabled by default by thelinux-hardened
patchset that we use as of #84522. I see that the maintainer @anthraxx in general seems to oppose these options and in particular says that "vanilla page poisoning [...] collides with the page verify code of hardened", though I don't know which option specifically is "vanilla page poisoning" (I assumepage_poison=1
).I've read the documentation on these parameters at https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html, but I don't see anything particularly enlightening about them, so I leave to more knowledgeable people whether this is a problem in the NixOS hardened profile.
Notify maintainers
@joachifm @emilazy
The text was updated successfully, but these errors were encountered: