Re: [PATCH 00/11] Kernel: Improve hardening

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 00/11] Kernel: Improve hardening
Date: Wed, 13 Apr 2022 10:20:02 +0100	[thread overview]
Message-ID: <FBC1D40B-29D8-4DE7-BE17-9D45AF4AEE25@ipfire.org> (raw)
In-Reply-To: <d1eeb901-109c-651c-8101-63a4d736e1d6@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 4156 bytes --]

Could you please check with Arne how severe this is for the sensors?

> On 13 Apr 2022, at 10:18, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your e-mail.
> 
> This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter
> the running kernel, hence it is no longer available if LSM runs in "integrity" mode.
> 
> On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires
> /dev/ports access is no longer available. On my testing hardware, that does not make a difference,
> but I presume it will on other hardware with more or different sensors.
> 
> sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess
> there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript
> to reflect that.
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>> I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
>> 
>> This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
>> 
>> At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
>> 
>> 
>> 
>> -Michael
>> 
>>> On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> This patchset improves hardening of our Linux kernel configurations for all
>>> architectures. Most importantly, it features the activation of the "Linux
>>> Security Module", also known as "kernel lockdown" (a phrase coined before the
>>> pandemic), or LSM for short.
>>> 
>>> Being set to "integrity" mode for a start, LSM prevents the kernel from being
>>> modified by various mechanisms, of which we have some already covered. However,
>>> it comes as a more holistic approach, which is why enabling it is desirable
>>> for our userbase.
>>> 
>>> Most of this patchset is based on recommendations by the "kconfig-hardened-check"
>>> tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration
>>> taken directly from KSPP and grsecurity.
>>> 
>>> Being unable to cross-compile IPFire for non-x86_64-architectures on my own,
>>> and my VM on the Mustang currently being offline, this patchset does not come
>>> with aligned kernel rootfiles for other architectures than x86_64. I am sorry
>>> for any inconvenience and extra workload caused by this.
>>> 
>>> Also, for the sake of completeness, the effect of LSM on virtualisation has not
>>> been tested due to time constraints, and a lack of oversight _which_ virtualisation
>>> features we officially support and which we don't. In doubt, however, I believe
>>> the security benefit gained from LSM outweighs a partial functional loss of
>>> virtualisation - but that is a highly biased opinion. :-)
>>> 
>>> Peter Müller (11):
>>> Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
>>> Kernel: Disable support for tracing block I/O actions
>>> Kernel: Pin loading kernel files to one filesystem
>>> Kernel: Enable undefined behaviour sanity checker
>>> Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
>>> Kernel: Enable LSM support and set security level to "integrity"
>>> Kernel: Trigger BUG if data corruption is detected
>>> Kernel: Do not automatically load TTY line disciplines, only if
>>>   necessary
>>> Kernel: Enable SVA support for both Intel and AMD CPUs
>>> Kernel: Disable function and stack tracers
>>> Kernel: Update rootfile for x86_64
>>> 
>>> config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++--------
>>> config/kernel/kernel.config.armv6l-ipfire  | 47 ++++++++++--------
>>> config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++--------
>>> config/kernel/kernel.config.x86_64-ipfire  | 57 ++++++++++++----------
>>> config/rootfiles/common/x86_64/linux       | 33 +++++++------
>>> 5 files changed, 131 insertions(+), 100 deletions(-)
>>> 
>>> -- 
>>> 2.34.1
>> 
>>

next prev parent reply	other threads:[~2022-04-13  9:20 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <265D481E-78F1-4A6D-AAF4-47A5997D5741@ipfire.org>
2022-04-13  9:18 ` Peter Müller
2022-04-13  9:20   ` Michael Tremer [this message]
2022-04-14  6:16     ` Peter Müller
2022-04-14  7:11       ` Michael Tremer
2022-04-14 14:51         ` Peter Müller
2022-03-19 21:08 Peter Müller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=FBC1D40B-29D8-4DE7-BE17-9D45AF4AEE25@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox