From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 00/11] Kernel: Improve hardening Date: Thu, 14 Apr 2022 08:11:03 +0100 Message-ID: <4FB151A4-A8DA-4D73-8A3F-D6B146456931@ipfire.org> In-Reply-To: <19fb4d3e-4a6d-e9a3-930c-705c81355294@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7634906446391459287==" List-Id: --===============7634906446391459287== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Peter, Thank you. So for the sensors, we can keep LSM on. Cool. -Michael > On 14 Apr 2022, at 07:16, Peter M=C3=BCller wr= ote: >=20 > For the records: I spoke to Arne regarding this on the phone the other day.= He confirmed to > me that this is by no means a severe issue from his point of view, and will= check whether > firmware flashing continues to work with the hardened kernel. >=20 >> Could you please check with Arne how severe this is for the sensors? >>=20 >>> On 13 Apr 2022, at 10:18, Peter M=C3=BCller = wrote: >>>=20 >>> Hello Michael, >>>=20 >>> thanks for your e-mail. >>>=20 >>> This is caused by the kernel lockdown patch, since /dev/ports apparently = can be used to alter >>> the running kernel, hence it is no longer available if LSM runs in "integ= rity" mode. >>>=20 >>> On my testing machine, sensors and sensors-detect continue to work, but a= ny sensor that requires >>> /dev/ports access is no longer available. On my testing hardware, that do= es not make a difference, >>> but I presume it will on other hardware with more or different sensors. >>>=20 >>> sensors-detect does not implement any option to probe non-/dev/ports-sens= ors only, so I guess >>> there is nothing we can do besides a "> /dev/null 2>&1". I will change th= e collectd initscript >>> to reflect that. >>>=20 >>> Thanks, and best regards, >>> Peter M=C3=BCller >>>=20 >>>=20 >>>> Hello, >>>>=20 >>>> I don=E2=80=99t know exactly which patch is responsible for this, but /d= ev/port is no longer accessible by sensors-detect. >>>>=20 >>>> This leads to ugly messages when the system is booting up for the first = time. Please see the attached screenshot. >>>>=20 >>>> At least the message needs to be silenced, but you should investigate wh= ether sensors will still work and is able to access readings for its hardware= sensors. >>>>=20 >>>>=20 >>>>=20 >>>> -Michael >>>>=20 >>>>> On 19 Mar 2022, at 21:08, Peter M=C3=BCller wrote: >>>>>=20 >>>>> This patchset improves hardening of our Linux kernel configurations for= all >>>>> architectures. Most importantly, it features the activation of the "Lin= ux >>>>> Security Module", also known as "kernel lockdown" (a phrase coined befo= re the >>>>> pandemic), or LSM for short. >>>>>=20 >>>>> Being set to "integrity" mode for a start, LSM prevents the kernel from= being >>>>> modified by various mechanisms, of which we have some already covered. = However, >>>>> it comes as a more holistic approach, which is why enabling it is desir= able >>>>> for our userbase. >>>>>=20 >>>>> Most of this patchset is based on recommendations by the "kconfig-harde= ned-check" >>>>> tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some = inspiration >>>>> taken directly from KSPP and grsecurity. >>>>>=20 >>>>> Being unable to cross-compile IPFire for non-x86_64-architectures on my= own, >>>>> and my VM on the Mustang currently being offline, this patchset does no= t come >>>>> with aligned kernel rootfiles for other architectures than x86_64. I am= sorry >>>>> for any inconvenience and extra workload caused by this. >>>>>=20 >>>>> Also, for the sake of completeness, the effect of LSM on virtualisation= has not >>>>> been tested due to time constraints, and a lack of oversight _which_ vi= rtualisation >>>>> features we officially support and which we don't. In doubt, however, I= believe >>>>> the security benefit gained from LSM outweighs a partial functional los= s of >>>>> virtualisation - but that is a highly biased opinion. :-) >>>>>=20 >>>>> Peter M=C3=BCller (11): >>>>> Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits >>>>> Kernel: Disable support for tracing block I/O actions >>>>> Kernel: Pin loading kernel files to one filesystem >>>>> Kernel: Enable undefined behaviour sanity checker >>>>> Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities >>>>> Kernel: Enable LSM support and set security level to "integrity" >>>>> Kernel: Trigger BUG if data corruption is detected >>>>> Kernel: Do not automatically load TTY line disciplines, only if >>>>> necessary >>>>> Kernel: Enable SVA support for both Intel and AMD CPUs >>>>> Kernel: Disable function and stack tracers >>>>> Kernel: Update rootfile for x86_64 >>>>>=20 >>>>> config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- >>>>> config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- >>>>> config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- >>>>> config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- >>>>> config/rootfiles/common/x86_64/linux | 33 +++++++------ >>>>> 5 files changed, 131 insertions(+), 100 deletions(-) >>>>>=20 >>>>> --=20 >>>>> 2.34.1 >>>>=20 >>>>=20 >>=20 --===============7634906446391459287==--