Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

linuxPackages{,_latest,_next}_hardened_ia32Emulation: init #81943

Closed

Conversation

@emilazy
Copy link
Member

emilazy commented Mar 7, 2020

Motivation for this change

These are variants of the hardened kernels that leave 32-bit x86
emulation enabled. Though it increases the attack surface, they're
relatively well-trodden code paths, and since I know people currently
sometimes opt for the vanilla kernel in lieu of a hardened one that lets
them continue using Wine, Steam, etc., in practice it'll offer people a
net benefit to security.

Resolves #79798.

@GrahamcOfBorg build linuxPackages_latest_hardened_ia32Emulation

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
These are variants of the hardened kernels that leave 32-bit x86
emulation enabled. Though it increases the attack surface, they're
relatively well-trodden code paths, and since I know people currently
sometimes opt for the vanilla kernel in lieu of a hardened one that lets
them continue using Wine, Steam, etc., in practice it'll offer people a
net benefit to security.

Resolves #79798.
@emilazy emilazy requested a review from joachifm as a code owner Mar 7, 2020
@emilazy
Copy link
Member Author

emilazy commented Mar 7, 2020

cc @Luis-Hebendanz @yegortimoshenko who 'd the issue :)

Copy link
Member

yegortimoshenko left a comment

Binary emulation does increase attack surface, so another kernel build seems to make sense. Note the new hadenedLinuxPackagesFor function signature.

@emilazy
Copy link
Member Author

emilazy commented Mar 7, 2020

@GrahamcOfBorg build linux_latest_hardened_ia32Emulation

@emilazy
Copy link
Member Author

emilazy commented Mar 7, 2020

Should these packages be blacklisted on aarch64? It looks like it might be cross-compiling or something?

@Mic92
Copy link
Contributor

Mic92 commented Mar 7, 2020

I am against adding even more kernel package variants since it increases the amount of kernels I need to test when changing kernel options or adding new kernel modules. cc @NeQuissimus @joachifm I would very much prefer if you can decide what options to enable in the hardened profile or hide this option from being build on nixpkgs-review/hydra.

@joachifm
Copy link
Contributor

joachifm commented Mar 7, 2020

When the hardened kernel and profile were first added, the idea was to enable as many mitigations as possible, even to the detriment of features and performance. Now, I'll grant that there's plenty of room for reasonable disagreement about what an acceptable loss of performance/features is versus hardening, but I for one consider breaking proprietary applications and drivers acceptable.

If we could control this feature at boot or runtime, it'd be a no-brainer to make it available and leave it for the admin to decide. Deferring to the admin is my preferred approach for a distro kernel, but in cases where you have to make a yes/no decision at compile time, I think the hardened config must err on the side of hardening.

In any case, I agree with @Mic92 that adding 3 additional package sets to accommodate a single option is probably too much. I think the community has to decide what hardened is supposed to mean and instead adjust the main hardened config accordingly.

@yegortimoshenko
Copy link
Member

yegortimoshenko commented Mar 7, 2020

If we could control this feature at boot or runtime, it'd be a no-brainer to make it available and leave it for the admin to decide.

Unfortunately, it seems to be compile time only :(

Now, I'll grant that there's plenty of room for reasonable disagreement about what an acceptable loss of performance/features is versus hardening, but I for one consider breaking proprietary applications and drivers acceptable.

Counterargument: not having it enabled was also a source of a few issue reports before #79798, namely #30702, #51097 (comment), #58240, #67577.

A few other distributions that do ship an optional hardened kernel package also have IA32 emulation enabled:

@joachifm
Copy link
Contributor

joachifm commented Mar 7, 2020

I propose opening a new PR that updates the hardened-config and leave it open for a bit to let interested parties vote on it. I still think its inappropriate despite what arch and alpine do but if users want it then that's fine I guess.

emilazy added a commit to emilazy/nixpkgs that referenced this pull request Mar 7, 2020
emilazy added a commit to emilazy/nixpkgs that referenced this pull request Mar 7, 2020
@emilazy
Copy link
Member Author

emilazy commented Mar 7, 2020

Closing in favour of #82006.

@emilazy emilazy closed this Mar 7, 2020
dtzWill added a commit to dtzWill/nixpkgs that referenced this pull request Mar 15, 2020
Per discussion in NixOS#81943.

Resolves NixOS#79798.

(cherry picked from commit b628400)
@emilazy emilazy deleted the emilazy:add-linux-hardened-ia32-emulation branch May 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

4 participants
You can’t perform that action at this time.