Document expected performance impact of standard settings we use

[AdSchellevis]

In OPNsense we have different security measures enabled by default, since most of them don't come free (in terms of performance), it would help to document which choices people can make.
Think of Meltdown/Spectre mitigations for example.

[AdSchellevis]

Some of the differences are explained in the hardening manual page (man hardening), it would probably be best if this man page got updated to include other differences as well, but for the scope of this ticket it's lets focus on the sysctl parameter difference between OPNsense and standard FreeBSD (knowing that not all of them are expected to impact performance).

I'm having some difficulties to extract all the differences between HBSD and stock FreeBSD (12.1), but these are the ones that stand our when comparing sysctl from both machines semi manually:

• Also in man hardening
  • net.inet.ip.random_id (see man page)
  • security.bsd.hardlink_check_gid
  • security.bsd.hardlink_check_uid
  • security.bsd.unprivileged_proc_debug
  • security.bsd.see_other_gids
  • security.bsd.see_other_uids
  • security.bsd.unprivileged_read_msgbuf
  • kern.randompid
  • security.bsd.unprivileged_read_msgbuf
• not standard and not in man hardening
  • hw.ibrs_disable
  • vm.pmap.pti
  • hw.kbd.keymap_restrict_change

below values are not equal to the ones specified in man hardening:

• kern.msgbuf_show_timestamp (ours is default)
• net.inet6.ip6.use_deprecated (ours is default)
• net.inet6.ip6.use_tempaddr (ours is default)
• net.inet6.ip6.prefer_tempaddr (ours is default)
• security.bsd.stack_guard_page (upstream also enabled)

Our explicit changes made from within OPNsense can usually be found in system_advanced_sysctl.php, it could be an option to add these defaults as well to make these adjustments more explicit.

[lattera]

The HardenedBSD wiki is mostly up-to-date: https://git-01.md.hardenedbsd.org/HardenedBSD/HardenedBSD/wiki

I need to make a few more updates to changes in 13-CURRENT.

[lattera]

The kernel-level changes that would impact performance the most would be the force-enabling of IBRS and PTI. IBRS especially can have a performance hit on network-heavy workloads.

[AdSchellevis]

@lattera thanks, I'll try to add a document on our end within a couple of weeks combining the relevant information.

[fichtner]

Some sort of one-click template would be nice. I fear complaints about performance won’t go away when people have to flip a number of hardening options just to get a system they think they want/need/should have despite the clear path of HardenedBSD.

[AdSchellevis]

@fichtner we could "institutionalize" it by adding an additional button on the tunables page ("less secure, more performance defaults"), which could be a next step.