From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 00/11] Kernel: Improve hardening Date: Thu, 14 Apr 2022 06:16:52 +0000 Message-ID: <19fb4d3e-4a6d-e9a3-930c-705c81355294@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0495468329359336778==" List-Id: --===============0495468329359336778== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable For the records: I spoke to Arne regarding this on the phone the other day. H= e confirmed to me that this is by no means a severe issue from his point of view, and will c= heck whether firmware flashing continues to work with the hardened kernel. > Could you please check with Arne how severe this is for the sensors? >=20 >> On 13 Apr 2022, at 10:18, Peter M=C3=BCller w= rote: >> >> Hello Michael, >> >> thanks for your e-mail. >> >> This is caused by the kernel lockdown patch, since /dev/ports apparently c= an be used to alter >> the running kernel, hence it is no longer available if LSM runs in "integr= ity" mode. >> >> On my testing machine, sensors and sensors-detect continue to work, but an= y sensor that requires >> /dev/ports access is no longer available. On my testing hardware, that doe= s not make a difference, >> but I presume it will on other hardware with more or different sensors. >> >> sensors-detect does not implement any option to probe non-/dev/ports-senso= rs only, so I guess >> there is nothing we can do besides a "> /dev/null 2>&1". I will change the= collectd initscript >> to reflect that. >> >> Thanks, and best regards, >> Peter M=C3=BCller >> >> >>> Hello, >>> >>> I don=E2=80=99t know exactly which patch is responsible for this, but /de= v/port is no longer accessible by sensors-detect. >>> >>> This leads to ugly messages when the system is booting up for the first t= ime. Please see the attached screenshot. >>> >>> At least the message needs to be silenced, but you should investigate whe= ther sensors will still work and is able to access readings for its hardware = sensors. >>> >>> >>> >>> -Michael >>> >>>> On 19 Mar 2022, at 21:08, Peter M=C3=BCller = wrote: >>>> >>>> This patchset improves hardening of our Linux kernel configurations for = all >>>> architectures. Most importantly, it features the activation of the "Linux >>>> Security Module", also known as "kernel lockdown" (a phrase coined befor= e the >>>> pandemic), or LSM for short. >>>> >>>> Being set to "integrity" mode for a start, LSM prevents the kernel from = being >>>> modified by various mechanisms, of which we have some already covered. H= owever, >>>> it comes as a more holistic approach, which is why enabling it is desira= ble >>>> for our userbase. >>>> >>>> Most of this patchset is based on recommendations by the "kconfig-harden= ed-check" >>>> tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some i= nspiration >>>> taken directly from KSPP and grsecurity. >>>> >>>> Being unable to cross-compile IPFire for non-x86_64-architectures on my = own, >>>> and my VM on the Mustang currently being offline, this patchset does not= come >>>> with aligned kernel rootfiles for other architectures than x86_64. I am = sorry >>>> for any inconvenience and extra workload caused by this. >>>> >>>> Also, for the sake of completeness, the effect of LSM on virtualisation = has not >>>> been tested due to time constraints, and a lack of oversight _which_ vir= tualisation >>>> features we officially support and which we don't. In doubt, however, I = believe >>>> the security benefit gained from LSM outweighs a partial functional loss= of >>>> virtualisation - but that is a highly biased opinion. :-) >>>> >>>> Peter M=C3=BCller (11): >>>> Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits >>>> Kernel: Disable support for tracing block I/O actions >>>> Kernel: Pin loading kernel files to one filesystem >>>> Kernel: Enable undefined behaviour sanity checker >>>> Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities >>>> Kernel: Enable LSM support and set security level to "integrity" >>>> Kernel: Trigger BUG if data corruption is detected >>>> Kernel: Do not automatically load TTY line disciplines, only if >>>> necessary >>>> Kernel: Enable SVA support for both Intel and AMD CPUs >>>> Kernel: Disable function and stack tracers >>>> Kernel: Update rootfile for x86_64 >>>> >>>> config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- >>>> config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- >>>> config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- >>>> config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- >>>> config/rootfiles/common/x86_64/linux | 33 +++++++------ >>>> 5 files changed, 131 insertions(+), 100 deletions(-) >>>> >>>> --=20 >>>> 2.34.1 >>> >>> >=20 --===============0495468329359336778==--