[PATCH 00/11] Kernel: Improve hardening

[PATCH 00/11] Kernel: Improve hardening

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2483 bytes --]

This patchset improves hardening of our Linux kernel configurations for all
architectures. Most importantly, it features the activation of the "Linux
Security Module", also known as "kernel lockdown" (a phrase coined before the
pandemic), or LSM for short.

Being set to "integrity" mode for a start, LSM prevents the kernel from being
modified by various mechanisms, of which we have some already covered. However,
it comes as a more holistic approach, which is why enabling it is desirable
for our userbase.

Most of this patchset is based on recommendations by the "kconfig-hardened-check"
tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration
taken directly from KSPP and grsecurity.

Being unable to cross-compile IPFire for non-x86_64-architectures on my own,
and my VM on the Mustang currently being offline, this patchset does not come
with aligned kernel rootfiles for other architectures than x86_64. I am sorry
for any inconvenience and extra workload caused by this.

Also, for the sake of completeness, the effect of LSM on virtualisation has not
been tested due to time constraints, and a lack of oversight _which_ virtualisation
features we officially support and which we don't. In doubt, however, I believe
the security benefit gained from LSM outweighs a partial functional loss of
virtualisation - but that is a highly biased opinion. :-)

Peter Müller (11):
  Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
  Kernel: Disable support for tracing block I/O actions
  Kernel: Pin loading kernel files to one filesystem
  Kernel: Enable undefined behaviour sanity checker
  Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
  Kernel: Enable LSM support and set security level to "integrity"
  Kernel: Trigger BUG if data corruption is detected
  Kernel: Do not automatically load TTY line disciplines, only if
    necessary
  Kernel: Enable SVA support for both Intel and AMD CPUs
  Kernel: Disable function and stack tracers
  Kernel: Update rootfile for x86_64

 config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++--------
 config/kernel/kernel.config.armv6l-ipfire  | 47 ++++++++++--------
 config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++--------
 config/kernel/kernel.config.x86_64-ipfire  | 57 ++++++++++++----------
 config/rootfiles/common/x86_64/linux       | 33 +++++++------
 5 files changed, 131 insertions(+), 100 deletions(-)

-- 
2.34.1

[PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2672 bytes --]

This follows a recommendation by ClipOS, making ASLR bypassing attempts
harder.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 2 +-
 config/kernel/kernel.config.armv6l-ipfire  | 2 +-
 config/kernel/kernel.config.riscv64-ipfire | 2 +-
 config/kernel/kernel.config.x86_64-ipfire  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 6728fa7f3..4205aa5bc 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -702,7 +702,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
 CONFIG_MODULES_USE_ELF_RELA=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
-CONFIG_ARCH_MMAP_RND_BITS=18
+CONFIG_ARCH_MMAP_RND_BITS=32
 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
 CONFIG_ARCH_MMAP_RND_COMPAT_BITS=11
 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index d8482de92..ef36b8e22 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -778,7 +778,7 @@ CONFIG_MODULES_USE_ELF_REL=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
 CONFIG_HAVE_EXIT_THREAD=y
-CONFIG_ARCH_MMAP_RND_BITS=8
+CONFIG_ARCH_MMAP_RND_BITS=32
 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
 CONFIG_CLONE_BACKWARDS=y
 CONFIG_OLD_SIGSUSPEND3=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 73911b2ab..d8045c15c 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -388,7 +388,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
 CONFIG_MODULES_USE_ELF_RELA=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
-CONFIG_ARCH_MMAP_RND_BITS=18
+CONFIG_ARCH_MMAP_RND_BITS=32
 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
 CONFIG_CLONE_BACKWARDS=y
 CONFIG_COMPAT_32BIT_TIME=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 0f322826e..b14815545 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -742,7 +742,7 @@ CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
 CONFIG_HAVE_EXIT_THREAD=y
-CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_ARCH_MMAP_RND_BITS=32
 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
 CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
 CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y
-- 
2.34.1

Re: [PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3025 bytes --]

I feel we have talked about this on multiple occasions, yet it never made its way into the repository.

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> This follows a recommendation by ClipOS, making ASLR bypassing attempts
> harder.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire  | 2 +-
> config/kernel/kernel.config.riscv64-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire  | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 6728fa7f3..4205aa5bc 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -702,7 +702,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
> CONFIG_MODULES_USE_ELF_RELA=y
> CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
> CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
> -CONFIG_ARCH_MMAP_RND_BITS=18
> +CONFIG_ARCH_MMAP_RND_BITS=32
> CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
> CONFIG_ARCH_MMAP_RND_COMPAT_BITS=11
> CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index d8482de92..ef36b8e22 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -778,7 +778,7 @@ CONFIG_MODULES_USE_ELF_REL=y
> CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
> CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
> CONFIG_HAVE_EXIT_THREAD=y
> -CONFIG_ARCH_MMAP_RND_BITS=8
> +CONFIG_ARCH_MMAP_RND_BITS=32
> CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
> CONFIG_CLONE_BACKWARDS=y
> CONFIG_OLD_SIGSUSPEND3=y
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index 73911b2ab..d8045c15c 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -388,7 +388,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
> CONFIG_MODULES_USE_ELF_RELA=y
> CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
> CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
> -CONFIG_ARCH_MMAP_RND_BITS=18
> +CONFIG_ARCH_MMAP_RND_BITS=32
> CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
> CONFIG_CLONE_BACKWARDS=y
> CONFIG_COMPAT_32BIT_TIME=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 0f322826e..b14815545 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -742,7 +742,7 @@ CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y
> CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
> CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
> CONFIG_HAVE_EXIT_THREAD=y
> -CONFIG_ARCH_MMAP_RND_BITS=28
> +CONFIG_ARCH_MMAP_RND_BITS=32
> CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
> CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
> CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y
> -- 
> 2.34.1

[PATCH 02/11] Kernel: Disable support for tracing block I/O actions

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2640 bytes --]

This is not needed on IPFire systems, and grsecurity recommends to turn
this off.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 2 +-
 config/kernel/kernel.config.armv6l-ipfire  | 2 +-
 config/kernel/kernel.config.riscv64-ipfire | 2 +-
 config/kernel/kernel.config.x86_64-ipfire  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 4205aa5bc..35c249253 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8166,7 +8166,7 @@ CONFIG_TRACER_SNAPSHOT=y
 # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index ef36b8e22..5b4ff8e20 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -8133,7 +8133,7 @@ CONFIG_TRACER_SNAPSHOT=y
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
 # CONFIG_PROFILE_ALL_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index d8045c15c..d4c0e0451 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6754,7 +6754,7 @@ CONFIG_TRACER_SNAPSHOT=y
 # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index b14815545..8b525ef89 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7605,7 +7605,7 @@ CONFIG_TRACER_SNAPSHOT=y
 # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
-- 
2.34.1

Re: [PATCH 02/11] Kernel: Disable support for tracing block I/O actions

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2898 bytes --]

Agreed.

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> This is not needed on IPFire systems, and grsecurity recommends to turn
> this off.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire  | 2 +-
> config/kernel/kernel.config.riscv64-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire  | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 4205aa5bc..35c249253 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -8166,7 +8166,7 @@ CONFIG_TRACER_SNAPSHOT=y
> # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
> CONFIG_BRANCH_PROFILE_NONE=y
> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> -CONFIG_BLK_DEV_IO_TRACE=y
> +# CONFIG_BLK_DEV_IO_TRACE is not set
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index ef36b8e22..5b4ff8e20 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -8133,7 +8133,7 @@ CONFIG_TRACER_SNAPSHOT=y
> CONFIG_BRANCH_PROFILE_NONE=y
> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> # CONFIG_PROFILE_ALL_BRANCHES is not set
> -CONFIG_BLK_DEV_IO_TRACE=y
> +# CONFIG_BLK_DEV_IO_TRACE is not set
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index d8045c15c..d4c0e0451 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6754,7 +6754,7 @@ CONFIG_TRACER_SNAPSHOT=y
> # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
> CONFIG_BRANCH_PROFILE_NONE=y
> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> -CONFIG_BLK_DEV_IO_TRACE=y
> +# CONFIG_BLK_DEV_IO_TRACE is not set
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index b14815545..8b525ef89 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -7605,7 +7605,7 @@ CONFIG_TRACER_SNAPSHOT=y
> # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
> CONFIG_BRANCH_PROFILE_NONE=y
> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> -CONFIG_BLK_DEV_IO_TRACE=y
> +# CONFIG_BLK_DEV_IO_TRACE is not set
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> -- 
> 2.34.1

[PATCH 03/11] Kernel: Pin loading kernel files to one filesystem

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2942 bytes --]

This can be safely enabled on IPFire, as we never swap filesystems
during runtime.

Fixes: #12432

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 3 ++-
 config/kernel/kernel.config.armv6l-ipfire  | 3 ++-
 config/kernel/kernel.config.riscv64-ipfire | 3 ++-
 config/kernel/kernel.config.x86_64-ipfire  | 3 ++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 35c249253..d9179c061 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 5b4ff8e20..522278160 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index d4c0e0451..ebb830eb7 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 8b525ef89..675c3ce1e 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
-- 
2.34.1

Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem

[Arne Fitzenreiter]

[-- Attachment #1: Type: text/plain, Size: 3313 bytes --]

At my knowledge enforce loadpin is incompatible with initramfs.
https://lwn.net/Articles/682302/

Also we have some older installations that have a seperate /var 
partition and /lib/firmware was moved to /var/lib/firmware
so i think we cannot apply this!

Arne


Am 2022-03-19 22:09, schrieb Peter Müller:
> This can be safely enabled on IPFire, as we never swap filesystems
> during runtime.
> 
> Fixes: #12432
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
>  config/kernel/kernel.config.aarch64-ipfire | 3 ++-
>  config/kernel/kernel.config.armv6l-ipfire  | 3 ++-
>  config/kernel/kernel.config.riscv64-ipfire | 3 ++-
>  config/kernel/kernel.config.x86_64-ipfire  | 3 ++-
>  4 files changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire
> b/config/kernel/kernel.config.aarch64-ipfire
> index 35c249253..d9179c061 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>  # CONFIG_SECURITY_YAMA is not set
>  # CONFIG_SECURITY_SAFESETID is not set
>  # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> diff --git a/config/kernel/kernel.config.armv6l-ipfire
> b/config/kernel/kernel.config.armv6l-ipfire
> index 5b4ff8e20..522278160 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>  # CONFIG_SECURITY_YAMA is not set
>  # CONFIG_SECURITY_SAFESETID is not set
>  # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> diff --git a/config/kernel/kernel.config.riscv64-ipfire
> b/config/kernel/kernel.config.riscv64-ipfire
> index d4c0e0451..ebb830eb7 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>  # CONFIG_SECURITY_YAMA is not set
>  # CONFIG_SECURITY_SAFESETID is not set
>  # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire
> b/config/kernel/kernel.config.x86_64-ipfire
> index 8b525ef89..675c3ce1e 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>  # CONFIG_SECURITY_YAMA is not set
>  # CONFIG_SECURITY_SAFESETID is not set
>  # CONFIG_SECURITY_LOCKDOWN_LSM is not set

Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3850 bytes --]

Hello,

> On 21 Mar 2022, at 17:15, Arne Fitzenreiter <arne_f(a)ipfire.org> wrote:
> 
> At my knowledge enforce loadpin is incompatible with initramfs.
> https://lwn.net/Articles/682302/

I cannot find that being mentioned in this article. And I am not sure whether the initramdisk counts as its own file system.

> Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware
> so i think we cannot apply this!

The firmware currently is in /lib/firmware and since we have now a way to compress it, there is no need to move it any more. That should allow us enabling this switch.

Best,
-Michael

> Arne
> 
> 
> Am 2022-03-19 22:09, schrieb Peter Müller:
>> This can be safely enabled on IPFire, as we never swap filesystems
>> during runtime.
>> Fixes: #12432
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
>> config/kernel/kernel.config.armv6l-ipfire  | 3 ++-
>> config/kernel/kernel.config.riscv64-ipfire | 3 ++-
>> config/kernel/kernel.config.x86_64-ipfire  | 3 ++-
>> 4 files changed, 8 insertions(+), 4 deletions(-)
>> diff --git a/config/kernel/kernel.config.aarch64-ipfire
>> b/config/kernel/kernel.config.aarch64-ipfire
>> index 35c249253..d9179c061 100644
>> --- a/config/kernel/kernel.config.aarch64-ipfire
>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
>> # CONFIG_SECURITY_SMACK is not set
>> # CONFIG_SECURITY_TOMOYO is not set
>> # CONFIG_SECURITY_APPARMOR is not set
>> -# CONFIG_SECURITY_LOADPIN is not set
>> +CONFIG_SECURITY_LOADPIN=y
>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>> # CONFIG_SECURITY_YAMA is not set
>> # CONFIG_SECURITY_SAFESETID is not set
>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>> diff --git a/config/kernel/kernel.config.armv6l-ipfire
>> b/config/kernel/kernel.config.armv6l-ipfire
>> index 5b4ff8e20..522278160 100644
>> --- a/config/kernel/kernel.config.armv6l-ipfire
>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>> # CONFIG_SECURITY_SMACK is not set
>> # CONFIG_SECURITY_TOMOYO is not set
>> # CONFIG_SECURITY_APPARMOR is not set
>> -# CONFIG_SECURITY_LOADPIN is not set
>> +CONFIG_SECURITY_LOADPIN=y
>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>> # CONFIG_SECURITY_YAMA is not set
>> # CONFIG_SECURITY_SAFESETID is not set
>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>> diff --git a/config/kernel/kernel.config.riscv64-ipfire
>> b/config/kernel/kernel.config.riscv64-ipfire
>> index d4c0e0451..ebb830eb7 100644
>> --- a/config/kernel/kernel.config.riscv64-ipfire
>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
>> # CONFIG_SECURITY_SMACK is not set
>> # CONFIG_SECURITY_TOMOYO is not set
>> # CONFIG_SECURITY_APPARMOR is not set
>> -# CONFIG_SECURITY_LOADPIN is not set
>> +CONFIG_SECURITY_LOADPIN=y
>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>> # CONFIG_SECURITY_YAMA is not set
>> # CONFIG_SECURITY_SAFESETID is not set
>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire
>> b/config/kernel/kernel.config.x86_64-ipfire
>> index 8b525ef89..675c3ce1e 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
>> # CONFIG_SECURITY_SMACK is not set
>> # CONFIG_SECURITY_TOMOYO is not set
>> # CONFIG_SECURITY_APPARMOR is not set
>> -# CONFIG_SECURITY_LOADPIN is not set
>> +CONFIG_SECURITY_LOADPIN=y
>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>> # CONFIG_SECURITY_YAMA is not set
>> # CONFIG_SECURITY_SAFESETID is not set
>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set

Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem

[alf]

[-- Attachment #1: Type: text/plain, Size: 5027 bytes --]

Den 2022-03-21 19:50, skrev Michael Tremer:
> Hello,
> 
>> On 21 Mar 2022, at 17:15, Arne Fitzenreiter <arne_f(a)ipfire.org> wrote:
>> 
>> At my knowledge enforce loadpin is incompatible with initramfs.
>> https://lwn.net/Articles/682302/
> 
> I cannot find that being mentioned in this article. And I am not sure
> whether the initramdisk counts as its own file system.
> 

Quoting what I think is the relevant section from the article
"
The current module is also likely to run into trouble on systems that 
boot with an initramfs image; the first modules will almost certainly be 
loaded from that image (that's why it exists, usually), causing loads to 
be pinned to a temporary filesystem that will go away at the end of the 
bootstrap process. In the current patch, if the filesystem to which 
loading is pinned disappears, loading of files will be disabled entirely 
— behavior that makes sense, but which may not lead to the desired 
results in an initramfs setting.
"

And a somewhat related discussion
https://forums.gentoo.org/viewtopic-p-8686594.html?sid=bbf2ffea6f1ad4a3f69073bfabfdb021

And a patch to the kernel, which I could not figure out if has been 
merged
https://lkml.org/lkml/2021/4/8/1446
But it does not seem to be merged to me
https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/security/loadpin/loadpin.c

Alf

>> Also we have some older installations that have a seperate /var 
>> partition and /lib/firmware was moved to /var/lib/firmware
>> so i think we cannot apply this!
> 
> The firmware currently is in /lib/firmware and since we have now a way
> to compress it, there is no need to move it any more. That should
> allow us enabling this switch.
> 
> Best,
> -Michael
> 
>> Arne
>> 
>> 
>> Am 2022-03-19 22:09, schrieb Peter Müller:
>>> This can be safely enabled on IPFire, as we never swap filesystems
>>> during runtime.
>>> Fixes: #12432
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
>>> config/kernel/kernel.config.armv6l-ipfire  | 3 ++-
>>> config/kernel/kernel.config.riscv64-ipfire | 3 ++-
>>> config/kernel/kernel.config.x86_64-ipfire  | 3 ++-
>>> 4 files changed, 8 insertions(+), 4 deletions(-)
>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire
>>> b/config/kernel/kernel.config.aarch64-ipfire
>>> index 35c249253..d9179c061 100644
>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire
>>> b/config/kernel/kernel.config.armv6l-ipfire
>>> index 5b4ff8e20..522278160 100644
>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire
>>> b/config/kernel/kernel.config.riscv64-ipfire
>>> index d4c0e0451..ebb830eb7 100644
>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire
>>> b/config/kernel/kernel.config.x86_64-ipfire
>>> index 8b525ef89..675c3ce1e 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set

Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 6053 bytes --]

Hello,

Hmm, Peter confirmed to me that this works on the kernel he built.

> On 21 Mar 2022, at 20:24, alf(a)i100.no wrote:
> 
> Den 2022-03-21 19:50, skrev Michael Tremer:
>> Hello,
>>> On 21 Mar 2022, at 17:15, Arne Fitzenreiter <arne_f(a)ipfire.org> wrote:
>>> At my knowledge enforce loadpin is incompatible with initramfs.
>>> https://lwn.net/Articles/682302/
>> I cannot find that being mentioned in this article. And I am not sure
>> whether the initramdisk counts as its own file system.
> 
> Quoting what I think is the relevant section from the article
> "
> The current module is also likely to run into trouble on systems that boot with an initramfs image; the first modules will almost certainly be loaded from that image (that's why it exists, usually), causing loads to be pinned to a temporary filesystem that will go away at the end of the bootstrap process. In the current patch, if the filesystem to which loading is pinned disappears, loading of files will be disabled entirely — behavior that makes sense, but which may not lead to the desired results in an initramfs setting.
> "

Thank you for helping me finding the correct paragraph.

> And a somewhat related discussion
> https://forums.gentoo.org/viewtopic-p-8686594.html?sid=bbf2ffea6f1ad4a3f69073bfabfdb021

I generally do agree that it does not make a lot of sense for kernel modules to have this enabled. We sign our kernel modules anyways which means that we do not need to trust the filesystem we load them from. However, there is some benefit here for firmware and other files the kernel loads. Those have no protection, and we can slightly mitigate any attacks here. How likely is this? Very unlikely, but still we can protect ourselves against them.

So this means that we potentially cannot enable the ENFORCE mode. But we can boot up the system and very early in the boot process set the loadpin sysctl so that any other file systems being mounted after that point can be used to load any files into the kernel.

@Peter: Would you please change the patch?

-Michael

> And a patch to the kernel, which I could not figure out if has been merged
> https://lkml.org/lkml/2021/4/8/1446
> But it does not seem to be merged to me
> https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/security/loadpin/loadpin.c
> 
> Alf
> 
>>> Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware
>>> so i think we cannot apply this!
>> The firmware currently is in /lib/firmware and since we have now a way
>> to compress it, there is no need to move it any more. That should
>> allow us enabling this switch.
>> Best,
>> -Michael
>>> Arne
>>> Am 2022-03-19 22:09, schrieb Peter Müller:
>>>> This can be safely enabled on IPFire, as we never swap filesystems
>>>> during runtime.
>>>> Fixes: #12432
>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>> ---
>>>> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
>>>> config/kernel/kernel.config.armv6l-ipfire  | 3 ++-
>>>> config/kernel/kernel.config.riscv64-ipfire | 3 ++-
>>>> config/kernel/kernel.config.x86_64-ipfire  | 3 ++-
>>>> 4 files changed, 8 insertions(+), 4 deletions(-)
>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire
>>>> b/config/kernel/kernel.config.aarch64-ipfire
>>>> index 35c249253..d9179c061 100644
>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
>>>> # CONFIG_SECURITY_SMACK is not set
>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>> -# CONFIG_SECURITY_LOADPIN is not set
>>>> +CONFIG_SECURITY_LOADPIN=y
>>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>>> # CONFIG_SECURITY_YAMA is not set
>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire
>>>> b/config/kernel/kernel.config.armv6l-ipfire
>>>> index 5b4ff8e20..522278160 100644
>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>>>> # CONFIG_SECURITY_SMACK is not set
>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>> -# CONFIG_SECURITY_LOADPIN is not set
>>>> +CONFIG_SECURITY_LOADPIN=y
>>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>>> # CONFIG_SECURITY_YAMA is not set
>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire
>>>> b/config/kernel/kernel.config.riscv64-ipfire
>>>> index d4c0e0451..ebb830eb7 100644
>>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>>> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
>>>> # CONFIG_SECURITY_SMACK is not set
>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>> -# CONFIG_SECURITY_LOADPIN is not set
>>>> +CONFIG_SECURITY_LOADPIN=y
>>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>>> # CONFIG_SECURITY_YAMA is not set
>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire
>>>> b/config/kernel/kernel.config.x86_64-ipfire
>>>> index 8b525ef89..675c3ce1e 100644
>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
>>>> # CONFIG_SECURITY_SMACK is not set
>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>> -# CONFIG_SECURITY_LOADPIN is not set
>>>> +CONFIG_SECURITY_LOADPIN=y
>>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>>> # CONFIG_SECURITY_YAMA is not set
>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set

[PATCH 04/11] Kernel: Enable undefined behaviour sanity checker

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3712 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 13 ++++++++++++-
 config/kernel/kernel.config.armv6l-ipfire  | 13 ++++++++++++-
 config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
 config/kernel/kernel.config.x86_64-ipfire  | 13 ++++++++++++-
 4 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index d9179c061..b2ef43e51 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8008,7 +8008,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
 CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
 CONFIG_HAVE_KCSAN_COMPILER=y
 # end of Generic Kernel Debugging Instruments
 
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 522278160..13326a29c 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7989,7 +7989,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
 # CONFIG_DEBUG_FS_ALLOW_NONE is not set
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
 CONFIG_HAVE_KCSAN_COMPILER=y
 # end of Generic Kernel Debugging Instruments
 
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index ebb830eb7..fa4ee46fa 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6597,7 +6597,18 @@ CONFIG_HAVE_ARCH_KGDB=y
 CONFIG_HAVE_ARCH_KGDB_QXFER_PKT=y
 # CONFIG_KGDB is not set
 CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
 CONFIG_HAVE_KCSAN_COMPILER=y
 # end of Generic Kernel Debugging Instruments
 
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 675c3ce1e..e6a03a9e5 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7430,7 +7430,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
 CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
 CONFIG_HAVE_ARCH_KCSAN=y
 CONFIG_HAVE_KCSAN_COMPILER=y
 # CONFIG_KCSAN is not set
-- 
2.34.1

Re: [PATCH 04/11] Kernel: Enable undefined behaviour sanity checker

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 4207 bytes --]

Hello,

The documentation for this says that CONFIG_UBSAN_SANITIZE_ALL will massively increase the size of the kernel.

How much is this? A larger kernel generally means slower execution. Did you perform any benchmarks?

> On 19 Mar 2022, at 21:09, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 13 ++++++++++++-
> config/kernel/kernel.config.armv6l-ipfire  | 13 ++++++++++++-
> config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
> config/kernel/kernel.config.x86_64-ipfire  | 13 ++++++++++++-
> 4 files changed, 48 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index d9179c061..b2ef43e51 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -8008,7 +8008,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
> CONFIG_HAVE_ARCH_KGDB=y
> # CONFIG_KGDB is not set
> CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
> -# CONFIG_UBSAN is not set
> +CONFIG_UBSAN=y
> +# CONFIG_UBSAN_TRAP is not set
> +CONFIG_CC_HAS_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_ONLY_BOUNDS=y
> +CONFIG_UBSAN_SHIFT=y
> +# CONFIG_UBSAN_DIV_ZERO is not set
> +CONFIG_UBSAN_BOOL=y
> +CONFIG_UBSAN_ENUM=y
> +# CONFIG_UBSAN_ALIGNMENT is not set
> +CONFIG_UBSAN_SANITIZE_ALL=y
> +# CONFIG_TEST_UBSAN is not set
> CONFIG_HAVE_KCSAN_COMPILER=y
> # end of Generic Kernel Debugging Instruments
> 
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 522278160..13326a29c 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7989,7 +7989,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
> # CONFIG_DEBUG_FS_ALLOW_NONE is not set
> CONFIG_HAVE_ARCH_KGDB=y
> # CONFIG_KGDB is not set
> -# CONFIG_UBSAN is not set
> +CONFIG_UBSAN=y
> +# CONFIG_UBSAN_TRAP is not set
> +CONFIG_CC_HAS_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_ONLY_BOUNDS=y
> +CONFIG_UBSAN_SHIFT=y
> +# CONFIG_UBSAN_DIV_ZERO is not set
> +CONFIG_UBSAN_BOOL=y
> +CONFIG_UBSAN_ENUM=y
> +# CONFIG_UBSAN_ALIGNMENT is not set
> +CONFIG_UBSAN_SANITIZE_ALL=y
> +# CONFIG_TEST_UBSAN is not set
> CONFIG_HAVE_KCSAN_COMPILER=y
> # end of Generic Kernel Debugging Instruments
> 
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index ebb830eb7..fa4ee46fa 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6597,7 +6597,18 @@ CONFIG_HAVE_ARCH_KGDB=y
> CONFIG_HAVE_ARCH_KGDB_QXFER_PKT=y
> # CONFIG_KGDB is not set
> CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
> -# CONFIG_UBSAN is not set
> +CONFIG_UBSAN=y
> +# CONFIG_UBSAN_TRAP is not set
> +CONFIG_CC_HAS_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_ONLY_BOUNDS=y
> +CONFIG_UBSAN_SHIFT=y
> +# CONFIG_UBSAN_DIV_ZERO is not set
> +CONFIG_UBSAN_BOOL=y
> +CONFIG_UBSAN_ENUM=y
> +# CONFIG_UBSAN_ALIGNMENT is not set
> +CONFIG_UBSAN_SANITIZE_ALL=y
> +# CONFIG_TEST_UBSAN is not set
> CONFIG_HAVE_KCSAN_COMPILER=y
> # end of Generic Kernel Debugging Instruments
> 
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 675c3ce1e..e6a03a9e5 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -7430,7 +7430,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
> CONFIG_HAVE_ARCH_KGDB=y
> # CONFIG_KGDB is not set
> CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
> -# CONFIG_UBSAN is not set
> +CONFIG_UBSAN=y
> +# CONFIG_UBSAN_TRAP is not set
> +CONFIG_CC_HAS_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_ONLY_BOUNDS=y
> +CONFIG_UBSAN_SHIFT=y
> +# CONFIG_UBSAN_DIV_ZERO is not set
> +CONFIG_UBSAN_BOOL=y
> +CONFIG_UBSAN_ENUM=y
> +# CONFIG_UBSAN_ALIGNMENT is not set
> +CONFIG_UBSAN_SANITIZE_ALL=y
> +# CONFIG_TEST_UBSAN is not set
> CONFIG_HAVE_ARCH_KCSAN=y
> CONFIG_HAVE_KCSAN_COMPILER=y
> # CONFIG_KCSAN is not set
> -- 
> 2.34.1

[PATCH 05/11] Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2582 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 2 +-
 config/kernel/kernel.config.armv6l-ipfire  | 2 +-
 config/kernel/kernel.config.riscv64-ipfire | 2 +-
 config/kernel/kernel.config.x86_64-ipfire  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index b2ef43e51..b485c2fb6 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7558,7 +7558,7 @@ CONFIG_FORTIFY_SOURCE=y
 CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 13326a29c..98b554d91 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7562,7 +7562,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
 CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index fa4ee46fa..b595ae8cd 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6195,7 +6195,7 @@ CONFIG_FORTIFY_SOURCE=y
 CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index e6a03a9e5..b325feb1d 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
 CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
-- 
2.34.1

Re: [PATCH 05/11] Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2895 bytes --]

Where is this whitelist defined then?

We use setuid and I would assume that this change will break all misc-progs.

-Michael

> On 19 Mar 2022, at 21:09, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire  | 2 +-
> config/kernel/kernel.config.riscv64-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire  | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index b2ef43e51..b485c2fb6 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7558,7 +7558,7 @@ CONFIG_FORTIFY_SOURCE=y
> CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=y
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 13326a29c..98b554d91 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7562,7 +7562,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
> CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=y
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index fa4ee46fa..b595ae8cd 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6195,7 +6195,7 @@ CONFIG_FORTIFY_SOURCE=y
> CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=y
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index e6a03a9e5..b325feb1d 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
> CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=y
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> -- 
> 2.34.1

[PATCH 06/11] Kernel: Enable LSM support and set security level to "integrity"

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3399 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 6 +++++-
 config/kernel/kernel.config.armv6l-ipfire  | 6 +++++-
 config/kernel/kernel.config.riscv64-ipfire | 6 +++++-
 config/kernel/kernel.config.x86_64-ipfire  | 6 +++++-
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index b485c2fb6..356d9051d 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7559,7 +7559,11 @@ CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 98b554d91..9dab473d4 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7563,7 +7563,11 @@ CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index b595ae8cd..adef88dc9 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6196,7 +6196,11 @@ CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index b325feb1d..222b2dc53 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6972,7 +6972,11 @@ CONFIG_SECURITY_LOADPIN=y
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
-- 
2.34.1

Re: [PATCH 06/11] Kernel: Enable LSM support and set security level to "integrity"

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3698 bytes --]

This looks good to me.

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 19 Mar 2022, at 21:10, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 6 +++++-
> config/kernel/kernel.config.armv6l-ipfire  | 6 +++++-
> config/kernel/kernel.config.riscv64-ipfire | 6 +++++-
> config/kernel/kernel.config.x86_64-ipfire  | 6 +++++-
> 4 files changed, 20 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index b485c2fb6..356d9051d 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7559,7 +7559,11 @@ CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_SECURITY_SAFESETID=y
> -# CONFIG_SECURITY_LOCKDOWN_LSM is not set
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 98b554d91..9dab473d4 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7563,7 +7563,11 @@ CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_SECURITY_SAFESETID=y
> -# CONFIG_SECURITY_LOCKDOWN_LSM is not set
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index b595ae8cd..adef88dc9 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6196,7 +6196,11 @@ CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_SECURITY_SAFESETID=y
> -# CONFIG_SECURITY_LOCKDOWN_LSM is not set
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index b325feb1d..222b2dc53 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6972,7 +6972,11 @@ CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_SECURITY_SAFESETID=y
> -# CONFIG_SECURITY_LOCKDOWN_LSM is not set
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> -- 
> 2.34.1

[PATCH 07/11] Kernel: Trigger BUG if data corruption is detected

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3081 bytes --]

Since we cannot trust the kernel to do the right thing (tm) in such a
situation anymore, triggering a BUG is less bad than running on a kernel
in an undefined state.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 4 ++--
 config/kernel/kernel.config.armv6l-ipfire  | 4 ++--
 config/kernel/kernel.config.riscv64-ipfire | 4 ++--
 config/kernel/kernel.config.x86_64-ipfire  | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 356d9051d..06379d544 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8125,11 +8125,11 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
 # CONFIG_DEBUG_PLIST is not set
 # CONFIG_DEBUG_SG is not set
 # CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Debug kernel data structures
 
 # CONFIG_DEBUG_CREDENTIALS is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 9dab473d4..68e37304a 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -8091,11 +8091,11 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
 # CONFIG_DEBUG_PLIST is not set
 # CONFIG_DEBUG_SG is not set
 # CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Debug kernel data structures
 
 # CONFIG_DEBUG_CREDENTIALS is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index adef88dc9..8cec9a200 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6714,11 +6714,11 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
 # CONFIG_DEBUG_PLIST is not set
 # CONFIG_DEBUG_SG is not set
 # CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Debug kernel data structures
 
 # CONFIG_DEBUG_CREDENTIALS is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 222b2dc53..0c6731bd1 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7556,11 +7556,11 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
 # CONFIG_DEBUG_PLIST is not set
 # CONFIG_DEBUG_SG is not set
 # CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Debug kernel data structures
 
 # CONFIG_DEBUG_CREDENTIALS is not set
-- 
2.34.1

Re: [PATCH 07/11] Kernel: Trigger BUG if data corruption is detected

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3561 bytes --]

I don’t quite follow what the benefit of this is.

The kernel would log something. That is it. Not bad, but I don’t see how this would help.

> On 19 Mar 2022, at 21:10, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Since we cannot trust the kernel to do the right thing (tm) in such a
> situation anymore, triggering a BUG is less bad than running on a kernel
> in an undefined state.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 4 ++--
> config/kernel/kernel.config.armv6l-ipfire  | 4 ++--
> config/kernel/kernel.config.riscv64-ipfire | 4 ++--
> config/kernel/kernel.config.x86_64-ipfire  | 4 ++--
> 4 files changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 356d9051d..06379d544 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -8125,11 +8125,11 @@ CONFIG_STACKTRACE=y
> #
> # Debug kernel data structures
> #
> -# CONFIG_DEBUG_LIST is not set
> +CONFIG_DEBUG_LIST=y

Why did this have to be changed? CONFIG_BUG_ON_DATA_CORRUPTION does not depends on this as far as I can see.

> # CONFIG_DEBUG_PLIST is not set
> # CONFIG_DEBUG_SG is not set
> # CONFIG_DEBUG_NOTIFIERS is not set
> -# CONFIG_BUG_ON_DATA_CORRUPTION is not set
> +CONFIG_BUG_ON_DATA_CORRUPTION=y
> # end of Debug kernel data structures
> 
> # CONFIG_DEBUG_CREDENTIALS is not set
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 9dab473d4..68e37304a 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -8091,11 +8091,11 @@ CONFIG_STACKTRACE=y
> #
> # Debug kernel data structures
> #
> -# CONFIG_DEBUG_LIST is not set
> +CONFIG_DEBUG_LIST=y
> # CONFIG_DEBUG_PLIST is not set
> # CONFIG_DEBUG_SG is not set
> # CONFIG_DEBUG_NOTIFIERS is not set
> -# CONFIG_BUG_ON_DATA_CORRUPTION is not set
> +CONFIG_BUG_ON_DATA_CORRUPTION=y
> # end of Debug kernel data structures
> 
> # CONFIG_DEBUG_CREDENTIALS is not set
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index adef88dc9..8cec9a200 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6714,11 +6714,11 @@ CONFIG_STACKTRACE=y
> #
> # Debug kernel data structures
> #
> -# CONFIG_DEBUG_LIST is not set
> +CONFIG_DEBUG_LIST=y
> # CONFIG_DEBUG_PLIST is not set
> # CONFIG_DEBUG_SG is not set
> # CONFIG_DEBUG_NOTIFIERS is not set
> -# CONFIG_BUG_ON_DATA_CORRUPTION is not set
> +CONFIG_BUG_ON_DATA_CORRUPTION=y
> # end of Debug kernel data structures
> 
> # CONFIG_DEBUG_CREDENTIALS is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 222b2dc53..0c6731bd1 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -7556,11 +7556,11 @@ CONFIG_STACKTRACE=y
> #
> # Debug kernel data structures
> #
> -# CONFIG_DEBUG_LIST is not set
> +CONFIG_DEBUG_LIST=y
> # CONFIG_DEBUG_PLIST is not set
> # CONFIG_DEBUG_SG is not set
> # CONFIG_DEBUG_NOTIFIERS is not set
> -# CONFIG_BUG_ON_DATA_CORRUPTION is not set
> +CONFIG_BUG_ON_DATA_CORRUPTION=y
> # end of Debug kernel data structures
> 
> # CONFIG_DEBUG_CREDENTIALS is not set
> -- 
> 2.34.1

[PATCH 08/11] Kernel: Do not automatically load TTY line disciplines, only if necessary

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2166 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 2 +-
 config/kernel/kernel.config.armv6l-ipfire  | 2 +-
 config/kernel/kernel.config.riscv64-ipfire | 2 +-
 config/kernel/kernel.config.x86_64-ipfire  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 06379d544..0fcbed4a2 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -3410,7 +3410,7 @@ CONFIG_HW_CONSOLE=y
 CONFIG_VT_HW_CONSOLE_BINDING=y
 CONFIG_UNIX98_PTYS=y
 # CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
 
 #
 # Serial drivers
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 68e37304a..468c74112 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -3397,7 +3397,7 @@ CONFIG_HW_CONSOLE=y
 CONFIG_VT_HW_CONSOLE_BINDING=y
 CONFIG_UNIX98_PTYS=y
 # CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
 
 #
 # Serial drivers
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 8cec9a200..de975e3f0 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -2915,7 +2915,7 @@ CONFIG_HW_CONSOLE=y
 CONFIG_VT_HW_CONSOLE_BINDING=y
 CONFIG_UNIX98_PTYS=y
 # CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
 
 #
 # Serial drivers
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 0c6731bd1..0b9c79209 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -3382,7 +3382,7 @@ CONFIG_HW_CONSOLE=y
 CONFIG_VT_HW_CONSOLE_BINDING=y
 CONFIG_UNIX98_PTYS=y
 # CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
 
 #
 # Serial drivers
-- 
2.34.1

Re: [PATCH 08/11] Kernel: Do not automatically load TTY line disciplines, only if necessary

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2450 bytes --]

This patch has been submitted so many times. *Please* make sure it is not going over my table again.

> On 19 Mar 2022, at 21:10, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire  | 2 +-
> config/kernel/kernel.config.riscv64-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire  | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 06379d544..0fcbed4a2 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -3410,7 +3410,7 @@ CONFIG_HW_CONSOLE=y
> CONFIG_VT_HW_CONSOLE_BINDING=y
> CONFIG_UNIX98_PTYS=y
> # CONFIG_LEGACY_PTYS is not set
> -CONFIG_LDISC_AUTOLOAD=y
> +# CONFIG_LDISC_AUTOLOAD is not set
> 
> #
> # Serial drivers
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 68e37304a..468c74112 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -3397,7 +3397,7 @@ CONFIG_HW_CONSOLE=y
> CONFIG_VT_HW_CONSOLE_BINDING=y
> CONFIG_UNIX98_PTYS=y
> # CONFIG_LEGACY_PTYS is not set
> -CONFIG_LDISC_AUTOLOAD=y
> +# CONFIG_LDISC_AUTOLOAD is not set
> 
> #
> # Serial drivers
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index 8cec9a200..de975e3f0 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -2915,7 +2915,7 @@ CONFIG_HW_CONSOLE=y
> CONFIG_VT_HW_CONSOLE_BINDING=y
> CONFIG_UNIX98_PTYS=y
> # CONFIG_LEGACY_PTYS is not set
> -CONFIG_LDISC_AUTOLOAD=y
> +# CONFIG_LDISC_AUTOLOAD is not set
> 
> #
> # Serial drivers
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 0c6731bd1..0b9c79209 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -3382,7 +3382,7 @@ CONFIG_HW_CONSOLE=y
> CONFIG_VT_HW_CONSOLE_BINDING=y
> CONFIG_UNIX98_PTYS=y
> # CONFIG_LEGACY_PTYS is not set
> -CONFIG_LDISC_AUTOLOAD=y
> +# CONFIG_LDISC_AUTOLOAD is not set
> 
> #
> # Serial drivers
> -- 
> 2.34.1

[PATCH 09/11] Kernel: Enable SVA support for both Intel and AMD CPUs

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1406 bytes --]

Since running virtual machines is one of our legitimate use cases, it
makes sense to provide Qemu with the ability of taking advantage of
IOMMU support for safer virtuall memory allocation, if available.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.x86_64-ipfire | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 0b9c79209..42275d26f 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6179,6 +6179,7 @@ CONFIG_INTEL_IDMA64=m
 CONFIG_INTEL_IDXD_BUS=m
 CONFIG_INTEL_IDXD=m
 # CONFIG_INTEL_IDXD_COMPAT is not set
+# CONFIG_INTEL_IDXD_SVM is not set
 # CONFIG_INTEL_IDXD_PERFMON is not set
 CONFIG_INTEL_IOATDMA=m
 CONFIG_PLX_DMA=m
@@ -6476,11 +6477,12 @@ CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set
 # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
 CONFIG_IOMMU_DMA=y
+CONFIG_IOMMU_SVA_LIB=y
 CONFIG_AMD_IOMMU=y
-# CONFIG_AMD_IOMMU_V2 is not set
+CONFIG_AMD_IOMMU_V2=y
 CONFIG_DMAR_TABLE=y
 CONFIG_INTEL_IOMMU=y
-# CONFIG_INTEL_IOMMU_SVM is not set
+CONFIG_INTEL_IOMMU_SVM=y
 # CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
 CONFIG_INTEL_IOMMU_FLOPPY_WA=y
 # CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
-- 
2.34.1

Re: [PATCH 09/11] Kernel: Enable SVA support for both Intel and AMD CPUs

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1608 bytes --]

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 19 Mar 2022, at 21:10, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Since running virtual machines is one of our legitimate use cases, it
> makes sense to provide Qemu with the ability of taking advantage of
> IOMMU support for safer virtuall memory allocation, if available.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.x86_64-ipfire | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 0b9c79209..42275d26f 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6179,6 +6179,7 @@ CONFIG_INTEL_IDMA64=m
> CONFIG_INTEL_IDXD_BUS=m
> CONFIG_INTEL_IDXD=m
> # CONFIG_INTEL_IDXD_COMPAT is not set
> +# CONFIG_INTEL_IDXD_SVM is not set
> # CONFIG_INTEL_IDXD_PERFMON is not set
> CONFIG_INTEL_IOATDMA=m
> CONFIG_PLX_DMA=m
> @@ -6476,11 +6477,12 @@ CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
> # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set
> # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
> CONFIG_IOMMU_DMA=y
> +CONFIG_IOMMU_SVA_LIB=y
> CONFIG_AMD_IOMMU=y
> -# CONFIG_AMD_IOMMU_V2 is not set
> +CONFIG_AMD_IOMMU_V2=y
> CONFIG_DMAR_TABLE=y
> CONFIG_INTEL_IOMMU=y
> -# CONFIG_INTEL_IOMMU_SVM is not set
> +CONFIG_INTEL_IOMMU_SVM=y
> # CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
> CONFIG_INTEL_IOMMU_FLOPPY_WA=y
> # CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
> -- 
> 2.34.1

[PATCH 10/11] Kernel: Disable function and stack tracers

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 8523 bytes --]

grsecurity recommends to disable this on non-development systems for
reducing attack surface. Since we never debug the kernel that deeply on
a productive system, it makes sense to follow this recommendation.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 13 ++-----------
 config/kernel/kernel.config.armv6l-ipfire  | 13 ++-----------
 config/kernel/kernel.config.riscv64-ipfire | 13 ++-----------
 config/kernel/kernel.config.x86_64-ipfire  | 17 ++---------------
 4 files changed, 8 insertions(+), 48 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 0fcbed4a2..5bd15cc48 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -126,8 +126,6 @@ CONFIG_TREE_RCU=y
 # CONFIG_RCU_EXPERT is not set
 CONFIG_SRCU=y
 CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -7410,7 +7408,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
 CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
 # CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
@@ -8166,12 +8163,8 @@ CONFIG_GENERIC_TRACER=y
 CONFIG_TRACING_SUPPORT=y
 CONFIG_FTRACE=y
 # CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
 # CONFIG_IRQSOFF_TRACER is not set
 CONFIG_SCHED_TRACER=y
 # CONFIG_HWLAT_TRACER is not set
@@ -8186,7 +8179,6 @@ CONFIG_BRANCH_PROFILE_NONE=y
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
 # CONFIG_SYNTH_EVENTS is not set
 # CONFIG_HIST_TRIGGERS is not set
@@ -8194,7 +8186,6 @@ CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
 # CONFIG_TRACEPOINT_BENCHMARK is not set
 CONFIG_RING_BUFFER_BENCHMARK=m
 # CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
 # CONFIG_FTRACE_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 468c74112..06010f893 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -133,8 +133,6 @@ CONFIG_TREE_RCU=y
 # CONFIG_RCU_EXPERT is not set
 CONFIG_SRCU=y
 CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -7414,7 +7412,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
 CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
 # CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
@@ -8132,12 +8129,8 @@ CONFIG_GENERIC_TRACER=y
 CONFIG_TRACING_SUPPORT=y
 CONFIG_FTRACE=y
 # CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
 # CONFIG_IRQSOFF_TRACER is not set
 CONFIG_SCHED_TRACER=y
 # CONFIG_HWLAT_TRACER is not set
@@ -8153,7 +8146,6 @@ CONFIG_BRANCH_PROFILE_NONE=y
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
 # CONFIG_SYNTH_EVENTS is not set
 # CONFIG_HIST_TRIGGERS is not set
@@ -8161,7 +8153,6 @@ CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
 # CONFIG_TRACEPOINT_BENCHMARK is not set
 CONFIG_RING_BUFFER_BENCHMARK=m
 # CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
 # CONFIG_FTRACE_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index de975e3f0..6b0aa466f 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -119,8 +119,6 @@ CONFIG_TREE_RCU=y
 # CONFIG_RCU_EXPERT is not set
 CONFIG_SRCU=y
 CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -6047,7 +6045,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
 CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
 # CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
@@ -6754,12 +6751,8 @@ CONFIG_GENERIC_TRACER=y
 CONFIG_TRACING_SUPPORT=y
 CONFIG_FTRACE=y
 # CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
 # CONFIG_IRQSOFF_TRACER is not set
 CONFIG_SCHED_TRACER=y
 # CONFIG_HWLAT_TRACER is not set
@@ -6774,14 +6767,12 @@ CONFIG_BRANCH_PROFILE_NONE=y
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
 # CONFIG_SYNTH_EVENTS is not set
 # CONFIG_TRACE_EVENT_INJECT is not set
 # CONFIG_TRACEPOINT_BENCHMARK is not set
 CONFIG_RING_BUFFER_BENCHMARK=m
 # CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
 # CONFIG_FTRACE_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 42275d26f..eee5e4a55 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -146,8 +146,6 @@ CONFIG_TREE_RCU=y
 # CONFIG_RCU_EXPERT is not set
 CONFIG_SRCU=y
 CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
 CONFIG_RCU_STALL_COMMON=y
 CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
@@ -476,7 +474,6 @@ CONFIG_LEGACY_VSYSCALL_NONE=y
 # CONFIG_CMDLINE_BOOL is not set
 # CONFIG_MODIFY_LDT_SYSCALL is not set
 CONFIG_HAVE_LIVEPATCH=y
-# CONFIG_LIVEPATCH is not set
 # end of Processor type and features
 
 CONFIG_ARCH_HAS_ADD_PAGES=y
@@ -6823,7 +6820,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
 CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
 # CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
@@ -7604,14 +7600,8 @@ CONFIG_GENERIC_TRACER=y
 CONFIG_TRACING_SUPPORT=y
 CONFIG_FTRACE=y
 # CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
-CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
 # CONFIG_IRQSOFF_TRACER is not set
 CONFIG_SCHED_TRACER=y
 # CONFIG_HWLAT_TRACER is not set
@@ -7627,15 +7617,12 @@ CONFIG_BRANCH_PROFILE_NONE=y
 CONFIG_UPROBE_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
-CONFIG_FTRACE_MCOUNT_USE_CC=y
 # CONFIG_SYNTH_EVENTS is not set
 # CONFIG_HIST_TRIGGERS is not set
 # CONFIG_TRACE_EVENT_INJECT is not set
 # CONFIG_TRACEPOINT_BENCHMARK is not set
 CONFIG_RING_BUFFER_BENCHMARK=m
 # CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
 # CONFIG_FTRACE_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
-- 
2.34.1

Re: [PATCH 10/11] Kernel: Disable function and stack tracers

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 9008 bytes --]

Could you please verify that powertop does not need any of these?

> On 19 Mar 2022, at 21:11, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> grsecurity recommends to disable this on non-development systems for
> reducing attack surface. Since we never debug the kernel that deeply on
> a productive system, it makes sense to follow this recommendation.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 13 ++-----------
> config/kernel/kernel.config.armv6l-ipfire  | 13 ++-----------
> config/kernel/kernel.config.riscv64-ipfire | 13 ++-----------
> config/kernel/kernel.config.x86_64-ipfire  | 17 ++---------------
> 4 files changed, 8 insertions(+), 48 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 0fcbed4a2..5bd15cc48 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -126,8 +126,6 @@ CONFIG_TREE_RCU=y
> # CONFIG_RCU_EXPERT is not set
> CONFIG_SRCU=y
> CONFIG_TREE_SRCU=y
> -CONFIG_TASKS_RCU_GENERIC=y
> -CONFIG_TASKS_RUDE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -7410,7 +7408,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
> CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
> # CONFIG_PSTORE_CONSOLE is not set
> # CONFIG_PSTORE_PMSG is not set
> -# CONFIG_PSTORE_FTRACE is not set
> # CONFIG_PSTORE_RAM is not set
> # CONFIG_PSTORE_BLK is not set
> # CONFIG_SYSV_FS is not set
> @@ -8166,12 +8163,8 @@ CONFIG_GENERIC_TRACER=y
> CONFIG_TRACING_SUPPORT=y
> CONFIG_FTRACE=y
> # CONFIG_BOOTTIME_TRACING is not set
> -CONFIG_FUNCTION_TRACER=y
> -CONFIG_FUNCTION_GRAPH_TRACER=y
> -CONFIG_DYNAMIC_FTRACE=y
> -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
> -CONFIG_FUNCTION_PROFILER=y
> -CONFIG_STACK_TRACER=y
> +# CONFIG_FUNCTION_TRACER is not set
> +# CONFIG_STACK_TRACER is not set
> # CONFIG_IRQSOFF_TRACER is not set
> CONFIG_SCHED_TRACER=y
> # CONFIG_HWLAT_TRACER is not set
> @@ -8186,7 +8179,6 @@ CONFIG_BRANCH_PROFILE_NONE=y
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> -CONFIG_FTRACE_MCOUNT_RECORD=y
> CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
> # CONFIG_SYNTH_EVENTS is not set
> # CONFIG_HIST_TRIGGERS is not set
> @@ -8194,7 +8186,6 @@ CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
> # CONFIG_TRACEPOINT_BENCHMARK is not set
> CONFIG_RING_BUFFER_BENCHMARK=m
> # CONFIG_TRACE_EVAL_MAP_FILE is not set
> -# CONFIG_FTRACE_RECORD_RECURSION is not set
> # CONFIG_FTRACE_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 468c74112..06010f893 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -133,8 +133,6 @@ CONFIG_TREE_RCU=y
> # CONFIG_RCU_EXPERT is not set
> CONFIG_SRCU=y
> CONFIG_TREE_SRCU=y
> -CONFIG_TASKS_RCU_GENERIC=y
> -CONFIG_TASKS_RUDE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -7414,7 +7412,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
> CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
> # CONFIG_PSTORE_CONSOLE is not set
> # CONFIG_PSTORE_PMSG is not set
> -# CONFIG_PSTORE_FTRACE is not set
> # CONFIG_PSTORE_RAM is not set
> # CONFIG_PSTORE_BLK is not set
> # CONFIG_SYSV_FS is not set
> @@ -8132,12 +8129,8 @@ CONFIG_GENERIC_TRACER=y
> CONFIG_TRACING_SUPPORT=y
> CONFIG_FTRACE=y
> # CONFIG_BOOTTIME_TRACING is not set
> -CONFIG_FUNCTION_TRACER=y
> -CONFIG_FUNCTION_GRAPH_TRACER=y
> -CONFIG_DYNAMIC_FTRACE=y
> -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
> -CONFIG_FUNCTION_PROFILER=y
> -CONFIG_STACK_TRACER=y
> +# CONFIG_FUNCTION_TRACER is not set
> +# CONFIG_STACK_TRACER is not set
> # CONFIG_IRQSOFF_TRACER is not set
> CONFIG_SCHED_TRACER=y
> # CONFIG_HWLAT_TRACER is not set
> @@ -8153,7 +8146,6 @@ CONFIG_BRANCH_PROFILE_NONE=y
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> -CONFIG_FTRACE_MCOUNT_RECORD=y
> CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
> # CONFIG_SYNTH_EVENTS is not set
> # CONFIG_HIST_TRIGGERS is not set
> @@ -8161,7 +8153,6 @@ CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
> # CONFIG_TRACEPOINT_BENCHMARK is not set
> CONFIG_RING_BUFFER_BENCHMARK=m
> # CONFIG_TRACE_EVAL_MAP_FILE is not set
> -# CONFIG_FTRACE_RECORD_RECURSION is not set
> # CONFIG_FTRACE_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index de975e3f0..6b0aa466f 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -119,8 +119,6 @@ CONFIG_TREE_RCU=y
> # CONFIG_RCU_EXPERT is not set
> CONFIG_SRCU=y
> CONFIG_TREE_SRCU=y
> -CONFIG_TASKS_RCU_GENERIC=y
> -CONFIG_TASKS_RUDE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -6047,7 +6045,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
> CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
> # CONFIG_PSTORE_CONSOLE is not set
> # CONFIG_PSTORE_PMSG is not set
> -# CONFIG_PSTORE_FTRACE is not set
> # CONFIG_PSTORE_RAM is not set
> # CONFIG_PSTORE_BLK is not set
> # CONFIG_SYSV_FS is not set
> @@ -6754,12 +6751,8 @@ CONFIG_GENERIC_TRACER=y
> CONFIG_TRACING_SUPPORT=y
> CONFIG_FTRACE=y
> # CONFIG_BOOTTIME_TRACING is not set
> -CONFIG_FUNCTION_TRACER=y
> -CONFIG_FUNCTION_GRAPH_TRACER=y
> -CONFIG_DYNAMIC_FTRACE=y
> -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
> -CONFIG_FUNCTION_PROFILER=y
> -CONFIG_STACK_TRACER=y
> +# CONFIG_FUNCTION_TRACER is not set
> +# CONFIG_STACK_TRACER is not set
> # CONFIG_IRQSOFF_TRACER is not set
> CONFIG_SCHED_TRACER=y
> # CONFIG_HWLAT_TRACER is not set
> @@ -6774,14 +6767,12 @@ CONFIG_BRANCH_PROFILE_NONE=y
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> -CONFIG_FTRACE_MCOUNT_RECORD=y
> CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
> # CONFIG_SYNTH_EVENTS is not set
> # CONFIG_TRACE_EVENT_INJECT is not set
> # CONFIG_TRACEPOINT_BENCHMARK is not set
> CONFIG_RING_BUFFER_BENCHMARK=m
> # CONFIG_TRACE_EVAL_MAP_FILE is not set
> -# CONFIG_FTRACE_RECORD_RECURSION is not set
> # CONFIG_FTRACE_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 42275d26f..eee5e4a55 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -146,8 +146,6 @@ CONFIG_TREE_RCU=y
> # CONFIG_RCU_EXPERT is not set
> CONFIG_SRCU=y
> CONFIG_TREE_SRCU=y
> -CONFIG_TASKS_RCU_GENERIC=y
> -CONFIG_TASKS_RUDE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -476,7 +474,6 @@ CONFIG_LEGACY_VSYSCALL_NONE=y
> # CONFIG_CMDLINE_BOOL is not set
> # CONFIG_MODIFY_LDT_SYSCALL is not set
> CONFIG_HAVE_LIVEPATCH=y
> -# CONFIG_LIVEPATCH is not set
> # end of Processor type and features
> 
> CONFIG_ARCH_HAS_ADD_PAGES=y
> @@ -6823,7 +6820,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
> CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
> # CONFIG_PSTORE_CONSOLE is not set
> # CONFIG_PSTORE_PMSG is not set
> -# CONFIG_PSTORE_FTRACE is not set
> # CONFIG_PSTORE_RAM is not set
> # CONFIG_PSTORE_BLK is not set
> # CONFIG_SYSV_FS is not set
> @@ -7604,14 +7600,8 @@ CONFIG_GENERIC_TRACER=y
> CONFIG_TRACING_SUPPORT=y
> CONFIG_FTRACE=y
> # CONFIG_BOOTTIME_TRACING is not set
> -CONFIG_FUNCTION_TRACER=y
> -CONFIG_FUNCTION_GRAPH_TRACER=y
> -CONFIG_DYNAMIC_FTRACE=y
> -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
> -CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
> -CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y
> -CONFIG_FUNCTION_PROFILER=y
> -CONFIG_STACK_TRACER=y
> +# CONFIG_FUNCTION_TRACER is not set
> +# CONFIG_STACK_TRACER is not set
> # CONFIG_IRQSOFF_TRACER is not set
> CONFIG_SCHED_TRACER=y
> # CONFIG_HWLAT_TRACER is not set
> @@ -7627,15 +7617,12 @@ CONFIG_BRANCH_PROFILE_NONE=y
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> -CONFIG_FTRACE_MCOUNT_RECORD=y
> -CONFIG_FTRACE_MCOUNT_USE_CC=y
> # CONFIG_SYNTH_EVENTS is not set
> # CONFIG_HIST_TRIGGERS is not set
> # CONFIG_TRACE_EVENT_INJECT is not set
> # CONFIG_TRACEPOINT_BENCHMARK is not set
> CONFIG_RING_BUFFER_BENCHMARK=m
> # CONFIG_TRACE_EVAL_MAP_FILE is not set
> -# CONFIG_FTRACE_RECORD_RECURSION is not set
> # CONFIG_FTRACE_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
> -- 
> 2.34.1

[PATCH 11/11] Kernel: Update rootfile for x86_64

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 9068 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/common/x86_64/linux | 33 ++++++++++++++++------------
 1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index a01af1fc4..85d8ffc66 100644
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -6408,6 +6408,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/ALX
 #lib/modules/KVER-ipfire/build/include/config/AMD8111_ETH
 #lib/modules/KVER-ipfire/build/include/config/AMD_IOMMU
+#lib/modules/KVER-ipfire/build/include/config/AMD_IOMMU_V2
 #lib/modules/KVER-ipfire/build/include/config/AMD_NB
 #lib/modules/KVER-ipfire/build/include/config/AMD_PHY
 #lib/modules/KVER-ipfire/build/include/config/AMD_PMC
@@ -6680,7 +6681,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INITRD
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INTEGRITY
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INTEGRITY_T10
-#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_IO_TRACE
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_LOOP
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_LOOP_MIN_COUNT
 #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_MD
@@ -6763,6 +6763,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/BTRFS_FS_POSIX_ACL
 #lib/modules/KVER-ipfire/build/include/config/BTT
 #lib/modules/KVER-ipfire/build/include/config/BUG
+#lib/modules/KVER-ipfire/build/include/config/BUG_ON_DATA_CORRUPTION
 #lib/modules/KVER-ipfire/build/include/config/BUILDTIME_TABLE_SORT
 #lib/modules/KVER-ipfire/build/include/config/BUILD_SALT
 #lib/modules/KVER-ipfire/build/include/config/CACHEFILES
@@ -6786,6 +6787,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_NO_PROFILE_FN_ATTR
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANCOV_TRACE_PC
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANE_STACKPROTECTOR
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_UBSAN_BOUNDS
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_WORKING_NOSANITIZE_ADDRESS
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ZERO_CALL_USED_REGS
 #lib/modules/KVER-ipfire/build/include/config/CC_IS_GCC
@@ -7086,6 +7088,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/DEBUG_FS
 #lib/modules/KVER-ipfire/build/include/config/DEBUG_FS_ALLOW_ALL
 #lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL
+#lib/modules/KVER-ipfire/build/include/config/DEBUG_LIST
 #lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC
 #lib/modules/KVER-ipfire/build/include/config/DEBUG_WX
 #lib/modules/KVER-ipfire/build/include/config/DECOMPRESS_BZIP2
@@ -7417,10 +7420,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG
 #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG_CORE
 #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_EVENTS
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_ARGS
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_DIRECT_CALLS
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_REGS
 #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_MEMORY_LAYOUT
 #lib/modules/KVER-ipfire/build/include/config/E100
 #lib/modules/KVER-ipfire/build/include/config/E1000
@@ -7589,14 +7588,9 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/FS_MBCACHE
 #lib/modules/KVER-ipfire/build/include/config/FS_POSIX_ACL
 #lib/modules/KVER-ipfire/build/include/config/FTRACE
-#lib/modules/KVER-ipfire/build/include/config/FTRACE_MCOUNT_RECORD
-#lib/modules/KVER-ipfire/build/include/config/FTRACE_MCOUNT_USE_CC
 #lib/modules/KVER-ipfire/build/include/config/FTRACE_SYSCALLS
 #lib/modules/KVER-ipfire/build/include/config/FUJITSU_ES
 #lib/modules/KVER-ipfire/build/include/config/FUJITSU_LAPTOP
-#lib/modules/KVER-ipfire/build/include/config/FUNCTION_GRAPH_TRACER
-#lib/modules/KVER-ipfire/build/include/config/FUNCTION_PROFILER
-#lib/modules/KVER-ipfire/build/include/config/FUNCTION_TRACER
 #lib/modules/KVER-ipfire/build/include/config/FUSE_FS
 #lib/modules/KVER-ipfire/build/include/config/FUSION
 #lib/modules/KVER-ipfire/build/include/config/FUSION_CTL
@@ -8070,6 +8064,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IOATDMA
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_FLOPPY_WA
+#lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_SVM
 #lib/modules/KVER-ipfire/build/include/config/INTEL_IPS
 #lib/modules/KVER-ipfire/build/include/config/INTEL_ISH_HID
 #lib/modules/KVER-ipfire/build/include/config/INTEL_LDMA
@@ -8090,6 +8085,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/IOMMU_IOVA
 #lib/modules/KVER-ipfire/build/include/config/IOMMU_IO_PGTABLE
 #lib/modules/KVER-ipfire/build/include/config/IOMMU_SUPPORT
+#lib/modules/KVER-ipfire/build/include/config/IOMMU_SVA_LIB
 #lib/modules/KVER-ipfire/build/include/config/IONIC
 #lib/modules/KVER-ipfire/build/include/config/IOSCHED_BFQ
 #lib/modules/KVER-ipfire/build/include/config/IOSF_MBI
@@ -8345,7 +8341,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/LAN743X
 #lib/modules/KVER-ipfire/build/include/config/LCD_CLASS_DEVICE
 #lib/modules/KVER-ipfire/build/include/config/LCD_PLATFORM
-#lib/modules/KVER-ipfire/build/include/config/LDISC_AUTOLOAD
 #lib/modules/KVER-ipfire/build/include/config/LDM_PARTITION
 #lib/modules/KVER-ipfire/build/include/config/LD_IS_BFD
 #lib/modules/KVER-ipfire/build/include/config/LD_ORPHAN_WARN
@@ -8414,6 +8409,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/LOCKD_V4
 #lib/modules/KVER-ipfire/build/include/config/LOCKUP_DETECTOR
 #lib/modules/KVER-ipfire/build/include/config/LOCK_DEBUGGING_SUPPORT
+#lib/modules/KVER-ipfire/build/include/config/LOCK_DOWN_KERNEL_FORCE_INTEGRITY
 #lib/modules/KVER-ipfire/build/include/config/LOCK_EVENT_COUNTS
 #lib/modules/KVER-ipfire/build/include/config/LOCK_SPIN_ON_OWNER
 #lib/modules/KVER-ipfire/build/include/config/LOGO
@@ -9867,6 +9863,11 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/SECURITY
 #lib/modules/KVER-ipfire/build/include/config/SECURITYFS
 #lib/modules/KVER-ipfire/build/include/config/SECURITY_DMESG_RESTRICT
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOADPIN
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOADPIN_ENFORCE
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOCKDOWN_LSM
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOCKDOWN_LSM_EARLY
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_SAFESETID
 #lib/modules/KVER-ipfire/build/include/config/SELECT_MEMORY_MODEL
 #lib/modules/KVER-ipfire/build/include/config/SENSORS_ABITUGURU
 #lib/modules/KVER-ipfire/build/include/config/SENSORS_ABITUGURU3
@@ -10345,7 +10346,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/STACKPROTECTOR_STRONG
 #lib/modules/KVER-ipfire/build/include/config/STACKTRACE
 #lib/modules/KVER-ipfire/build/include/config/STACKTRACE_SUPPORT
-#lib/modules/KVER-ipfire/build/include/config/STACK_TRACER
 #lib/modules/KVER-ipfire/build/include/config/STACK_VALIDATION
 #lib/modules/KVER-ipfire/build/include/config/STAGING
 #lib/modules/KVER-ipfire/build/include/config/STANDALONE
@@ -10395,8 +10395,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/SYS_HYPERVISOR
 #lib/modules/KVER-ipfire/build/include/config/TAP
 #lib/modules/KVER-ipfire/build/include/config/TASKSTATS
-#lib/modules/KVER-ipfire/build/include/config/TASKS_RCU_GENERIC
-#lib/modules/KVER-ipfire/build/include/config/TASKS_RUDE_RCU
 #lib/modules/KVER-ipfire/build/include/config/TASK_DELAY_ACCT
 #lib/modules/KVER-ipfire/build/include/config/TASK_IO_ACCOUNTING
 #lib/modules/KVER-ipfire/build/include/config/TASK_XACCT
@@ -10502,6 +10500,13 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/TYPEC_TCPM
 #lib/modules/KVER-ipfire/build/include/config/TYPEC_UCSI
 #lib/modules/KVER-ipfire/build/include/config/TYPHOON
+#lib/modules/KVER-ipfire/build/include/config/UBSAN
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_BOOL
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_BOUNDS
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_ENUM
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_ONLY_BOUNDS
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_SANITIZE_ALL
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_SHIFT
 #lib/modules/KVER-ipfire/build/include/config/UCS2_STRING
 #lib/modules/KVER-ipfire/build/include/config/UCSI_ACPI
 #lib/modules/KVER-ipfire/build/include/config/UDF_FS
-- 
2.34.1

Re: [PATCH 00/11] Kernel: Improve hardening

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3901 bytes --]

Hello Michael,

thanks for your e-mail.

This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter
the running kernel, hence it is no longer available if LSM runs in "integrity" mode.

On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires
/dev/ports access is no longer available. On my testing hardware, that does not make a difference,
but I presume it will on other hardware with more or different sensors.

sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess
there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript
to reflect that.

Thanks, and best regards,
Peter Müller


> Hello,
> 
> I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
> 
> This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
> 
> At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
> 
> 
> 
> -Michael
> 
>> On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> This patchset improves hardening of our Linux kernel configurations for all
>> architectures. Most importantly, it features the activation of the "Linux
>> Security Module", also known as "kernel lockdown" (a phrase coined before the
>> pandemic), or LSM for short.
>>
>> Being set to "integrity" mode for a start, LSM prevents the kernel from being
>> modified by various mechanisms, of which we have some already covered. However,
>> it comes as a more holistic approach, which is why enabling it is desirable
>> for our userbase.
>>
>> Most of this patchset is based on recommendations by the "kconfig-hardened-check"
>> tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration
>> taken directly from KSPP and grsecurity.
>>
>> Being unable to cross-compile IPFire for non-x86_64-architectures on my own,
>> and my VM on the Mustang currently being offline, this patchset does not come
>> with aligned kernel rootfiles for other architectures than x86_64. I am sorry
>> for any inconvenience and extra workload caused by this.
>>
>> Also, for the sake of completeness, the effect of LSM on virtualisation has not
>> been tested due to time constraints, and a lack of oversight _which_ virtualisation
>> features we officially support and which we don't. In doubt, however, I believe
>> the security benefit gained from LSM outweighs a partial functional loss of
>> virtualisation - but that is a highly biased opinion. :-)
>>
>> Peter Müller (11):
>>  Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
>>  Kernel: Disable support for tracing block I/O actions
>>  Kernel: Pin loading kernel files to one filesystem
>>  Kernel: Enable undefined behaviour sanity checker
>>  Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
>>  Kernel: Enable LSM support and set security level to "integrity"
>>  Kernel: Trigger BUG if data corruption is detected
>>  Kernel: Do not automatically load TTY line disciplines, only if
>>    necessary
>>  Kernel: Enable SVA support for both Intel and AMD CPUs
>>  Kernel: Disable function and stack tracers
>>  Kernel: Update rootfile for x86_64
>>
>> config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++--------
>> config/kernel/kernel.config.armv6l-ipfire  | 47 ++++++++++--------
>> config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++--------
>> config/kernel/kernel.config.x86_64-ipfire  | 57 ++++++++++++----------
>> config/rootfiles/common/x86_64/linux       | 33 +++++++------
>> 5 files changed, 131 insertions(+), 100 deletions(-)
>>
>> -- 
>> 2.34.1
> 
> 

Re: [PATCH 00/11] Kernel: Improve hardening

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 4156 bytes --]

Could you please check with Arne how severe this is for the sensors?

> On 13 Apr 2022, at 10:18, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your e-mail.
> 
> This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter
> the running kernel, hence it is no longer available if LSM runs in "integrity" mode.
> 
> On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires
> /dev/ports access is no longer available. On my testing hardware, that does not make a difference,
> but I presume it will on other hardware with more or different sensors.
> 
> sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess
> there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript
> to reflect that.
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>> I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
>> 
>> This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
>> 
>> At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
>> 
>> 
>> 
>> -Michael
>> 
>>> On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> This patchset improves hardening of our Linux kernel configurations for all
>>> architectures. Most importantly, it features the activation of the "Linux
>>> Security Module", also known as "kernel lockdown" (a phrase coined before the
>>> pandemic), or LSM for short.
>>> 
>>> Being set to "integrity" mode for a start, LSM prevents the kernel from being
>>> modified by various mechanisms, of which we have some already covered. However,
>>> it comes as a more holistic approach, which is why enabling it is desirable
>>> for our userbase.
>>> 
>>> Most of this patchset is based on recommendations by the "kconfig-hardened-check"
>>> tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration
>>> taken directly from KSPP and grsecurity.
>>> 
>>> Being unable to cross-compile IPFire for non-x86_64-architectures on my own,
>>> and my VM on the Mustang currently being offline, this patchset does not come
>>> with aligned kernel rootfiles for other architectures than x86_64. I am sorry
>>> for any inconvenience and extra workload caused by this.
>>> 
>>> Also, for the sake of completeness, the effect of LSM on virtualisation has not
>>> been tested due to time constraints, and a lack of oversight _which_ virtualisation
>>> features we officially support and which we don't. In doubt, however, I believe
>>> the security benefit gained from LSM outweighs a partial functional loss of
>>> virtualisation - but that is a highly biased opinion. :-)
>>> 
>>> Peter Müller (11):
>>> Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
>>> Kernel: Disable support for tracing block I/O actions
>>> Kernel: Pin loading kernel files to one filesystem
>>> Kernel: Enable undefined behaviour sanity checker
>>> Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
>>> Kernel: Enable LSM support and set security level to "integrity"
>>> Kernel: Trigger BUG if data corruption is detected
>>> Kernel: Do not automatically load TTY line disciplines, only if
>>>   necessary
>>> Kernel: Enable SVA support for both Intel and AMD CPUs
>>> Kernel: Disable function and stack tracers
>>> Kernel: Update rootfile for x86_64
>>> 
>>> config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++--------
>>> config/kernel/kernel.config.armv6l-ipfire  | 47 ++++++++++--------
>>> config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++--------
>>> config/kernel/kernel.config.x86_64-ipfire  | 57 ++++++++++++----------
>>> config/rootfiles/common/x86_64/linux       | 33 +++++++------
>>> 5 files changed, 131 insertions(+), 100 deletions(-)
>>> 
>>> -- 
>>> 2.34.1
>> 
>> 

Re: [PATCH 00/11] Kernel: Improve hardening

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 4471 bytes --]

For the records: I spoke to Arne regarding this on the phone the other day. He confirmed to
me that this is by no means a severe issue from his point of view, and will check whether
firmware flashing continues to work with the hardened kernel.

> Could you please check with Arne how severe this is for the sensors?
> 
>> On 13 Apr 2022, at 10:18, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Hello Michael,
>>
>> thanks for your e-mail.
>>
>> This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter
>> the running kernel, hence it is no longer available if LSM runs in "integrity" mode.
>>
>> On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires
>> /dev/ports access is no longer available. On my testing hardware, that does not make a difference,
>> but I presume it will on other hardware with more or different sensors.
>>
>> sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess
>> there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript
>> to reflect that.
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>
>>> Hello,
>>>
>>> I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
>>>
>>> This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
>>>
>>> At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
>>>
>>>
>>>
>>> -Michael
>>>
>>>> On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>
>>>> This patchset improves hardening of our Linux kernel configurations for all
>>>> architectures. Most importantly, it features the activation of the "Linux
>>>> Security Module", also known as "kernel lockdown" (a phrase coined before the
>>>> pandemic), or LSM for short.
>>>>
>>>> Being set to "integrity" mode for a start, LSM prevents the kernel from being
>>>> modified by various mechanisms, of which we have some already covered. However,
>>>> it comes as a more holistic approach, which is why enabling it is desirable
>>>> for our userbase.
>>>>
>>>> Most of this patchset is based on recommendations by the "kconfig-hardened-check"
>>>> tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration
>>>> taken directly from KSPP and grsecurity.
>>>>
>>>> Being unable to cross-compile IPFire for non-x86_64-architectures on my own,
>>>> and my VM on the Mustang currently being offline, this patchset does not come
>>>> with aligned kernel rootfiles for other architectures than x86_64. I am sorry
>>>> for any inconvenience and extra workload caused by this.
>>>>
>>>> Also, for the sake of completeness, the effect of LSM on virtualisation has not
>>>> been tested due to time constraints, and a lack of oversight _which_ virtualisation
>>>> features we officially support and which we don't. In doubt, however, I believe
>>>> the security benefit gained from LSM outweighs a partial functional loss of
>>>> virtualisation - but that is a highly biased opinion. :-)
>>>>
>>>> Peter Müller (11):
>>>> Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
>>>> Kernel: Disable support for tracing block I/O actions
>>>> Kernel: Pin loading kernel files to one filesystem
>>>> Kernel: Enable undefined behaviour sanity checker
>>>> Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
>>>> Kernel: Enable LSM support and set security level to "integrity"
>>>> Kernel: Trigger BUG if data corruption is detected
>>>> Kernel: Do not automatically load TTY line disciplines, only if
>>>>   necessary
>>>> Kernel: Enable SVA support for both Intel and AMD CPUs
>>>> Kernel: Disable function and stack tracers
>>>> Kernel: Update rootfile for x86_64
>>>>
>>>> config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++--------
>>>> config/kernel/kernel.config.armv6l-ipfire  | 47 ++++++++++--------
>>>> config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++--------
>>>> config/kernel/kernel.config.x86_64-ipfire  | 57 ++++++++++++----------
>>>> config/rootfiles/common/x86_64/linux       | 33 +++++++------
>>>> 5 files changed, 131 insertions(+), 100 deletions(-)
>>>>
>>>> -- 
>>>> 2.34.1
>>>
>>>
> 

Re: [PATCH 00/11] Kernel: Improve hardening

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 4764 bytes --]

Hello Peter,

Thank you. So for the sensors, we can keep LSM on. Cool.

-Michael

> On 14 Apr 2022, at 07:16, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> For the records: I spoke to Arne regarding this on the phone the other day. He confirmed to
> me that this is by no means a severe issue from his point of view, and will check whether
> firmware flashing continues to work with the hardened kernel.
> 
>> Could you please check with Arne how severe this is for the sensors?
>> 
>>> On 13 Apr 2022, at 10:18, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> Hello Michael,
>>> 
>>> thanks for your e-mail.
>>> 
>>> This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter
>>> the running kernel, hence it is no longer available if LSM runs in "integrity" mode.
>>> 
>>> On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires
>>> /dev/ports access is no longer available. On my testing hardware, that does not make a difference,
>>> but I presume it will on other hardware with more or different sensors.
>>> 
>>> sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess
>>> there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript
>>> to reflect that.
>>> 
>>> Thanks, and best regards,
>>> Peter Müller
>>> 
>>> 
>>>> Hello,
>>>> 
>>>> I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
>>>> 
>>>> This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
>>>> 
>>>> At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
>>>> 
>>>> 
>>>> 
>>>> -Michael
>>>> 
>>>>> On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>> 
>>>>> This patchset improves hardening of our Linux kernel configurations for all
>>>>> architectures. Most importantly, it features the activation of the "Linux
>>>>> Security Module", also known as "kernel lockdown" (a phrase coined before the
>>>>> pandemic), or LSM for short.
>>>>> 
>>>>> Being set to "integrity" mode for a start, LSM prevents the kernel from being
>>>>> modified by various mechanisms, of which we have some already covered. However,
>>>>> it comes as a more holistic approach, which is why enabling it is desirable
>>>>> for our userbase.
>>>>> 
>>>>> Most of this patchset is based on recommendations by the "kconfig-hardened-check"
>>>>> tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration
>>>>> taken directly from KSPP and grsecurity.
>>>>> 
>>>>> Being unable to cross-compile IPFire for non-x86_64-architectures on my own,
>>>>> and my VM on the Mustang currently being offline, this patchset does not come
>>>>> with aligned kernel rootfiles for other architectures than x86_64. I am sorry
>>>>> for any inconvenience and extra workload caused by this.
>>>>> 
>>>>> Also, for the sake of completeness, the effect of LSM on virtualisation has not
>>>>> been tested due to time constraints, and a lack of oversight _which_ virtualisation
>>>>> features we officially support and which we don't. In doubt, however, I believe
>>>>> the security benefit gained from LSM outweighs a partial functional loss of
>>>>> virtualisation - but that is a highly biased opinion. :-)
>>>>> 
>>>>> Peter Müller (11):
>>>>> Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
>>>>> Kernel: Disable support for tracing block I/O actions
>>>>> Kernel: Pin loading kernel files to one filesystem
>>>>> Kernel: Enable undefined behaviour sanity checker
>>>>> Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
>>>>> Kernel: Enable LSM support and set security level to "integrity"
>>>>> Kernel: Trigger BUG if data corruption is detected
>>>>> Kernel: Do not automatically load TTY line disciplines, only if
>>>>>  necessary
>>>>> Kernel: Enable SVA support for both Intel and AMD CPUs
>>>>> Kernel: Disable function and stack tracers
>>>>> Kernel: Update rootfile for x86_64
>>>>> 
>>>>> config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++--------
>>>>> config/kernel/kernel.config.armv6l-ipfire  | 47 ++++++++++--------
>>>>> config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++--------
>>>>> config/kernel/kernel.config.x86_64-ipfire  | 57 ++++++++++++----------
>>>>> config/rootfiles/common/x86_64/linux       | 33 +++++++------
>>>>> 5 files changed, 131 insertions(+), 100 deletions(-)
>>>>> 
>>>>> -- 
>>>>> 2.34.1
>>>> 
>>>> 
>> 

Re: [PATCH 00/11] Kernel: Improve hardening

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 5712 bytes --]

Hello Michael,

aaaaand here is the disappointment: As already apprehended, firmware flashing does no longer work with the
hardened kernel, as Arne told me on the phone today. :-/

(And since all these APUs run on x86_64 as well, we cannot even enable LSM on that kernel, like we did with
other hardening features that were not available or usable on certain architectures.

Another option would leaving LSM enabled, but without enforcing the "integrity" level. It can be enabled via
a trigger to some /proc location on runtime - but attackers can tamper with that, it kind of renders the
whole idea ad absurdum, and I would really consider this as a last resort. Besides, users would have to disable
it every time they want to flash a firmware.)

Oh, goddammit. Why can't _one_ thing in life just _work_?!

Thanks, and best regards,
Peter Müller


> Hello Peter,
> 
> Thank you. So for the sensors, we can keep LSM on. Cool.
> 
> -Michael
> 
>> On 14 Apr 2022, at 07:16, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> For the records: I spoke to Arne regarding this on the phone the other day. He confirmed to
>> me that this is by no means a severe issue from his point of view, and will check whether
>> firmware flashing continues to work with the hardened kernel.
>>
>>> Could you please check with Arne how severe this is for the sensors?
>>>
>>>> On 13 Apr 2022, at 10:18, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>
>>>> Hello Michael,
>>>>
>>>> thanks for your e-mail.
>>>>
>>>> This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter
>>>> the running kernel, hence it is no longer available if LSM runs in "integrity" mode.
>>>>
>>>> On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires
>>>> /dev/ports access is no longer available. On my testing hardware, that does not make a difference,
>>>> but I presume it will on other hardware with more or different sensors.
>>>>
>>>> sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess
>>>> there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript
>>>> to reflect that.
>>>>
>>>> Thanks, and best regards,
>>>> Peter Müller
>>>>
>>>>
>>>>> Hello,
>>>>>
>>>>> I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
>>>>>
>>>>> This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
>>>>>
>>>>> At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
>>>>>
>>>>>
>>>>>
>>>>> -Michael
>>>>>
>>>>>> On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>>>
>>>>>> This patchset improves hardening of our Linux kernel configurations for all
>>>>>> architectures. Most importantly, it features the activation of the "Linux
>>>>>> Security Module", also known as "kernel lockdown" (a phrase coined before the
>>>>>> pandemic), or LSM for short.
>>>>>>
>>>>>> Being set to "integrity" mode for a start, LSM prevents the kernel from being
>>>>>> modified by various mechanisms, of which we have some already covered. However,
>>>>>> it comes as a more holistic approach, which is why enabling it is desirable
>>>>>> for our userbase.
>>>>>>
>>>>>> Most of this patchset is based on recommendations by the "kconfig-hardened-check"
>>>>>> tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration
>>>>>> taken directly from KSPP and grsecurity.
>>>>>>
>>>>>> Being unable to cross-compile IPFire for non-x86_64-architectures on my own,
>>>>>> and my VM on the Mustang currently being offline, this patchset does not come
>>>>>> with aligned kernel rootfiles for other architectures than x86_64. I am sorry
>>>>>> for any inconvenience and extra workload caused by this.
>>>>>>
>>>>>> Also, for the sake of completeness, the effect of LSM on virtualisation has not
>>>>>> been tested due to time constraints, and a lack of oversight _which_ virtualisation
>>>>>> features we officially support and which we don't. In doubt, however, I believe
>>>>>> the security benefit gained from LSM outweighs a partial functional loss of
>>>>>> virtualisation - but that is a highly biased opinion. :-)
>>>>>>
>>>>>> Peter Müller (11):
>>>>>> Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
>>>>>> Kernel: Disable support for tracing block I/O actions
>>>>>> Kernel: Pin loading kernel files to one filesystem
>>>>>> Kernel: Enable undefined behaviour sanity checker
>>>>>> Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
>>>>>> Kernel: Enable LSM support and set security level to "integrity"
>>>>>> Kernel: Trigger BUG if data corruption is detected
>>>>>> Kernel: Do not automatically load TTY line disciplines, only if
>>>>>>  necessary
>>>>>> Kernel: Enable SVA support for both Intel and AMD CPUs
>>>>>> Kernel: Disable function and stack tracers
>>>>>> Kernel: Update rootfile for x86_64
>>>>>>
>>>>>> config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++--------
>>>>>> config/kernel/kernel.config.armv6l-ipfire  | 47 ++++++++++--------
>>>>>> config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++--------
>>>>>> config/kernel/kernel.config.x86_64-ipfire  | 57 ++++++++++++----------
>>>>>> config/rootfiles/common/x86_64/linux       | 33 +++++++------
>>>>>> 5 files changed, 131 insertions(+), 100 deletions(-)
>>>>>>
>>>>>> -- 
>>>>>> 2.34.1
>>>>>
>>>>>
>>>
>