Updated expected grsec kernel version to 5.15.18

[zenmonkeykstop]

Status

Ready for review (requires merge of freedomofpress/securedrop-apt-test#130 before release)

Description of Changes

Fixes #6170 .

Adds 5.15.18 grsec kernel, with the igc module enabled to support 11th-gen NUCs

Testing

installing via dpkg

• provision a prod instance (hardware preferred, VMs fine)
• grab the linux-headers-5.15.18-grsec-securedrop_5.15.18-grsec-securedrop-1_amd64.deb and linux-image-5.15.18-grsec-securedrop_5.15.18-grsec-securedrop-1_amd64.deb debs from apt-test.freedom.press.
• transfer the kernels to app and mon
• install via sudo dpkg -i linux-headers-5.15.18-grsec-securedrop_5.15.18-grsec-securedrop-1_amd64.deb && sudo dpkg -i linux-image-5.15.18-grsec-securedrop_5.15.18-grsec-securedrop-1_amd64.deb
• reboot the servers

testing via metapackage

• provision a prod VM install on latest release (2.1.0)
• check out this branch and make build-debs
• grab the linux-headers-5.15.18-grsec-securedrop_5.15.18-grsec-securedrop-1_amd64.deb and linux-image-5.15.18-grsec-securedrop_5.15.18-grsec-securedrop-1_amd64.deb debs from apt-test.freedom.press.
• copy the header and image debs to securedrop/build/focal
• use the upgrade scenario docs to upgrade the VM install using the locally-built packages.
• reboot servers after the upgrade

validating the kernel

• confirm that the system boots, and that uname -r returns the expected kernel
• install paxtest and run sudo paxtest blackhat, confirm that values are comparable to previous kernels
• grab the meltdown check script from https://meltdown.ovh and verify that the kernel is not vulnerable to known exploits.

Deployment

As this is a non-patch-level kernel change, it should be validated on all supported hardware and on as much deprecated or unofficially-supported hardware as possible. Release docs should flag the kernel change and include instructions on how to downgrade to the previous version if needed.

Checklist

If you made changes to the system configuration:

• Configuration tests pass

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

Choose one of the following:

• I have opened a PR in the docs repo for these changes, or will do so later
• I would appreciate help with the documentation
• These changes do not require documentation

[kushaldas]

I will do one round testing in the morning, but it will be nice to have another pair of eyes if possible.

[gonzalo-bulnes]

I installed this kernel in a fresh Ubuntu 20.04.3 NUC11 (original comment): - it's looking good!

• The enp2s0 network device is not UNCLAIMED anymore ✔️
• sudo modinfo igc does print information of the module ✔️

My investigative skills in this area are limited, but I'm happy to dig more details given a few pointers 🙂

[zenmonkeykstop]

thanks @gonzalo-bulnes! the output of lspci -v would be interesting (should show that the ethernet controller is being handled by igc), as would the kernel hardening checks:

• To use paxtest, try sudo apt-get install paxtest && sudo paxtest blackhat - if you're on the console you'll probably see some grsec messages flash up, and then you'll get a report which you can append here
• To use @speed47's speculative execution checker script, download it with, eg. curl -L -o melt.sh https://meltdown.ovh and run it with eg. sudo bash melt.sh - this will also generate a report which you can append here.

[gonzalo-bulnes]

@zenmonkeykstop (sudo) lspci -v mentions Kernel driver in use: igc for the ethernet controller ✔️

I'm getting the other ones set up.

[gonzalo-bulnes]

The summary for sudo bash melt.sh is all green ✔️ (I'm recording logs.)

[gonzalo-bulnes]

I'm not sure how to interpret the output of sudo paxtest blackhat. I'll show you the logs @zenmonkeykstop

Edit: Given this context, the paxtest output looks good. (Thanks @conorsch!) Also, on the randomization tests, there are more "quality bits" across the board when compared to this reference, which I guess is good.

[kushaldas]

paxtest blackhat result:

Test results:
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomization test     : 33 quality bits (guessed)
Heap randomization test (ET_EXEC)        : 40 quality bits (guessed)
Heap randomization test (PIE)            : 40 quality bits (guessed)
Main executable randomization (ET_EXEC)  : 33 quality bits (guessed)
Main executable randomization (PIE)      : 33 quality bits (guessed)
Shared library randomization test        : 33 quality bits (guessed)
VDSO randomization test                  : 33 quality bits (guessed)
Stack randomization test (SEGMEXEC)      : 40 quality bits (guessed)
Stack randomization test (PAGEEXEC)      : 40 quality bits (guessed)
Arg/env randomization test (SEGMEXEC)    : 44 quality bits (guessed)
Arg/env randomization test (PAGEEXEC)    : 44 quality bits (guessed)
Randomization under memory exhaustion @~0: 33 bits (guessed)
Randomization under memory exhaustion @0 : 33 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Vulnerable
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE)         : Vulnerable

[zenmonkeykstop]

@kushaldas thank you - was that on VMs or hardware?

[conorsch]

Running through some pro-forma validation in staging VMs now. N.B. The kernel packages were already merged in freedomofpress/securedrop-apt-test#130, but without a metapackage version bump (which is included in this PR). We'll add that as part of rc1 later today.

[conorsch]

Performed the "validating the kernel" steps in staging VMs on Qubes. Worked swimmingly. Given the positive reports from those with the relevant hardware (e.g. NUC11s), I'm approving. As noted above, we'll follow up new metapackages for apt-test as part of rc1.

[rocodes]

A little late to the party, but adding my results here for NUC7i7DNHE (Monitor server only):

Testing

installing via dpkg

• provision a prod instance (hardware preferred, VMs fine)
• grab the linux-headers-5.15.18-grsec-securedrop_5.15.18-grsec-securedrop-1_amd64.deb and linux-image-5.15.18-grsec-securedrop_5.15.18-grsec-securedrop-1_amd64.deb debs from apt-test.freedom.press.
• transfer the kernels to app and mon
• install via sudo dpkg -i linux-headers-5.15.18-grsec-securedrop_5.15.18-grsec-securedrop-1_amd64.deb && sudo dpkg -i linux-image-5.15.18-grsec-securedrop_5.15.18-grsec-securedrop-1_amd64.deb
• reboot the servers
• (note to past and future testers: you may have to manually select the 5.15.18 kernel from the grub menu after completing these steps, this was the case for me anyway)

validating the kernel

• confirm that the system boots, and that uname -r returns the expected kernel
• install paxtest and run sudo paxtest blackhat, confirm that values are comparable to previous kernels [result: (memcpy and memcpy PIE report as vulnerable, expected: see https://github.com/Use paxtest for validating grsecurity config #1039#issuecomment-790033219)]
• grab the meltdown check script from https://meltdown.ovh and verify that the kernel is not vulnerable to known exploits [result: (False positive for Foreshadow SGX L1 terminal fault, expected)]

Results (attached)

meltdown_results.txt
blackhat_results.txt