Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos: allow customizing the kernel RANDSTRUCT seed #53826

Merged
merged 2 commits into from Apr 16, 2019

Conversation

Projects
None yet
4 participants
@delroth
Copy link
Contributor

commented Jan 12, 2019

Motivation for this change

See #53592. RANDSTRUCT is designed to make kernel exploitation harder through diversification of the builds. Allowing users to set their own RANDSTRUCT seed differentiates their kernel build from the rest of the NixOS hardened users. In a multi-host deployment this can also be used to deploy differently seeded builds on each machine.

I was torn on whether to put this in boot/kernel.nix or create a new module in security/ for the option -- in the end I decided on boot/kernel.nix because it makes the implementation much simpler, but I'm definitely open to the "new module" option too if someone has a strong opinion about this.

Still a NixOS noob, not sure if this is the right way to do things. Let me know!

@joachifm @NeQuissimus fyi

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@joachifm

This comment has been minimized.

Copy link
Contributor

commented Jan 12, 2019

Nit: Exposing such a specialized feature in the general interface may seem a little ad-hoc.
Are we certain that the seed is only ever used for randstruct? If not, I could see adding it to the general interface, otherwise I'd prefer having this under the hardened module namespace.

@@ -67,6 +68,19 @@ in
description = "A list of additional patches to apply to the kernel.";
};

boot.kernel.randstructSeed = mkOption {
type = types.str;

This comment has been minimized.

Copy link
@joachifm

joachifm Jan 12, 2019

Contributor

It'd be neat to be able to read the seed from a file instead (e.g., if I want to share my config but not the seed)

@joachifm

This comment has been minimized.

Copy link
Contributor

commented Jan 12, 2019

If you don't want to create a new module, there's security/misc

delroth added some commits Jan 12, 2019

@delroth delroth force-pushed the delroth:randstruct-custom-seed branch from 0fd0d3a to 8769d2d Jan 24, 2019

@joachifm

This comment has been minimized.

Copy link
Contributor

commented Apr 15, 2019

@GrahamcOfBorg build linux_latest_hardened linux linux_latest

@joachifm

This comment has been minimized.

Copy link
Contributor

commented Apr 15, 2019

@GrahamcOfBorg test hardened

@joachifm joachifm merged commit d7da5e2 into NixOS:master Apr 16, 2019

14 of 15 checks passed

linux, linux_latest, linux_latest_hardened on x86_64-darwin No attempt
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
linux, linux_latest, linux_latest_hardened on aarch64-linux Success
Details
linux, linux_latest, linux_latest_hardened on x86_64-linux Success
Details
tests.hardened on aarch64-linux Success
Details
tests.hardened on x86_64-linux Success
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.