From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 00/11] Kernel: Improve hardening Date: Wed, 13 Apr 2022 10:20:02 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2240254760889630493==" List-Id: --===============2240254760889630493== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Could you please check with Arne how severe this is for the sensors? > On 13 Apr 2022, at 10:18, Peter M=C3=BCller wr= ote: >=20 > Hello Michael, >=20 > thanks for your e-mail. >=20 > This is caused by the kernel lockdown patch, since /dev/ports apparently ca= n be used to alter > the running kernel, hence it is no longer available if LSM runs in "integri= ty" mode. >=20 > On my testing machine, sensors and sensors-detect continue to work, but any= sensor that requires > /dev/ports access is no longer available. On my testing hardware, that does= not make a difference, > but I presume it will on other hardware with more or different sensors. >=20 > sensors-detect does not implement any option to probe non-/dev/ports-sensor= s only, so I guess > there is nothing we can do besides a "> /dev/null 2>&1". I will change the = collectd initscript > to reflect that. >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >=20 >> Hello, >>=20 >> I don=E2=80=99t know exactly which patch is responsible for this, but /dev= /port is no longer accessible by sensors-detect. >>=20 >> This leads to ugly messages when the system is booting up for the first ti= me. Please see the attached screenshot. >>=20 >> At least the message needs to be silenced, but you should investigate whet= her sensors will still work and is able to access readings for its hardware s= ensors. >>=20 >>=20 >>=20 >> -Michael >>=20 >>> On 19 Mar 2022, at 21:08, Peter M=C3=BCller = wrote: >>>=20 >>> This patchset improves hardening of our Linux kernel configurations for a= ll >>> architectures. Most importantly, it features the activation of the "Linux >>> Security Module", also known as "kernel lockdown" (a phrase coined before= the >>> pandemic), or LSM for short. >>>=20 >>> Being set to "integrity" mode for a start, LSM prevents the kernel from b= eing >>> modified by various mechanisms, of which we have some already covered. Ho= wever, >>> it comes as a more holistic approach, which is why enabling it is desirab= le >>> for our userbase. >>>=20 >>> Most of this patchset is based on recommendations by the "kconfig-hardene= d-check" >>> tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some in= spiration >>> taken directly from KSPP and grsecurity. >>>=20 >>> Being unable to cross-compile IPFire for non-x86_64-architectures on my o= wn, >>> and my VM on the Mustang currently being offline, this patchset does not = come >>> with aligned kernel rootfiles for other architectures than x86_64. I am s= orry >>> for any inconvenience and extra workload caused by this. >>>=20 >>> Also, for the sake of completeness, the effect of LSM on virtualisation h= as not >>> been tested due to time constraints, and a lack of oversight _which_ virt= ualisation >>> features we officially support and which we don't. In doubt, however, I b= elieve >>> the security benefit gained from LSM outweighs a partial functional loss = of >>> virtualisation - but that is a highly biased opinion. :-) >>>=20 >>> Peter M=C3=BCller (11): >>> Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits >>> Kernel: Disable support for tracing block I/O actions >>> Kernel: Pin loading kernel files to one filesystem >>> Kernel: Enable undefined behaviour sanity checker >>> Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities >>> Kernel: Enable LSM support and set security level to "integrity" >>> Kernel: Trigger BUG if data corruption is detected >>> Kernel: Do not automatically load TTY line disciplines, only if >>> necessary >>> Kernel: Enable SVA support for both Intel and AMD CPUs >>> Kernel: Disable function and stack tracers >>> Kernel: Update rootfile for x86_64 >>>=20 >>> config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- >>> config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- >>> config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- >>> config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- >>> config/rootfiles/common/x86_64/linux | 33 +++++++------ >>> 5 files changed, 131 insertions(+), 100 deletions(-) >>>=20 >>> --=20 >>> 2.34.1 >>=20 >>=20 --===============2240254760889630493==--