From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 00/11] Kernel: Improve hardening Date: Wed, 13 Apr 2022 09:18:59 +0000 Message-ID: In-Reply-To: <265D481E-78F1-4A6D-AAF4-47A5997D5741@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7244266444396653794==" List-Id: --===============7244266444396653794== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your e-mail. This is caused by the kernel lockdown patch, since /dev/ports apparently can = be used to alter the running kernel, hence it is no longer available if LSM runs in "integrity= " mode. On my testing machine, sensors and sensors-detect continue to work, but any s= ensor that requires /dev/ports access is no longer available. On my testing hardware, that does n= ot make a difference, but I presume it will on other hardware with more or different sensors. sensors-detect does not implement any option to probe non-/dev/ports-sensors = only, so I guess there is nothing we can do besides a "> /dev/null 2>&1". I will change the co= llectd initscript to reflect that. Thanks, and best regards, Peter M=C3=BCller > Hello, >=20 > I don=E2=80=99t know exactly which patch is responsible for this, but /dev/= port is no longer accessible by sensors-detect. >=20 > This leads to ugly messages when the system is booting up for the first tim= e. Please see the attached screenshot. >=20 > At least the message needs to be silenced, but you should investigate wheth= er sensors will still work and is able to access readings for its hardware se= nsors. >=20 >=20 >=20 > -Michael >=20 >> On 19 Mar 2022, at 21:08, Peter M=C3=BCller w= rote: >> >> This patchset improves hardening of our Linux kernel configurations for all >> architectures. Most importantly, it features the activation of the "Linux >> Security Module", also known as "kernel lockdown" (a phrase coined before = the >> pandemic), or LSM for short. >> >> Being set to "integrity" mode for a start, LSM prevents the kernel from be= ing >> modified by various mechanisms, of which we have some already covered. How= ever, >> it comes as a more holistic approach, which is why enabling it is desirable >> for our userbase. >> >> Most of this patchset is based on recommendations by the "kconfig-hardened= -check" >> tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some ins= piration >> taken directly from KSPP and grsecurity. >> >> Being unable to cross-compile IPFire for non-x86_64-architectures on my ow= n, >> and my VM on the Mustang currently being offline, this patchset does not c= ome >> with aligned kernel rootfiles for other architectures than x86_64. I am so= rry >> for any inconvenience and extra workload caused by this. >> >> Also, for the sake of completeness, the effect of LSM on virtualisation ha= s not >> been tested due to time constraints, and a lack of oversight _which_ virtu= alisation >> features we officially support and which we don't. In doubt, however, I be= lieve >> the security benefit gained from LSM outweighs a partial functional loss of >> virtualisation - but that is a highly biased opinion. :-) >> >> Peter M=C3=BCller (11): >> Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits >> Kernel: Disable support for tracing block I/O actions >> Kernel: Pin loading kernel files to one filesystem >> Kernel: Enable undefined behaviour sanity checker >> Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities >> Kernel: Enable LSM support and set security level to "integrity" >> Kernel: Trigger BUG if data corruption is detected >> Kernel: Do not automatically load TTY line disciplines, only if >> necessary >> Kernel: Enable SVA support for both Intel and AMD CPUs >> Kernel: Disable function and stack tracers >> Kernel: Update rootfile for x86_64 >> >> config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- >> config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- >> config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- >> config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- >> config/rootfiles/common/x86_64/linux | 33 +++++++------ >> 5 files changed, 131 insertions(+), 100 deletions(-) >> >> --=20 >> 2.34.1 >=20 >=20 --===============7244266444396653794==--