Hello,
I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
-Michael
On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller@ipfire.org> wrote:
This patchset improves hardening of our Linux kernel configurations for all
architectures. Most importantly, it features the activation of the "Linux
Security Module", also known as "kernel lockdown" (a phrase coined before the
pandemic), or LSM for short.
Being set to "integrity" mode for a start, LSM prevents the kernel from being
modified by various mechanisms, of which we have some already covered. However,
it comes as a more holistic approach, which is why enabling it is desirable
for our userbase.
Most of this patchset is based on recommendations by the "kconfig-hardened-check"
tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration
taken directly from KSPP and grsecurity.
Being unable to cross-compile IPFire for non-x86_64-architectures on my own,
and my VM on the Mustang currently being offline, this patchset does not come
with aligned kernel rootfiles for other architectures than x86_64. I am sorry
for any inconvenience and extra workload caused by this.
Also, for the sake of completeness, the effect of LSM on virtualisation has not
been tested due to time constraints, and a lack of oversight _which_ virtualisation
features we officially support and which we don't. In doubt, however, I believe
the security benefit gained from LSM outweighs a partial functional loss of
virtualisation - but that is a highly biased opinion. :-)
Peter Müller (11):
Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
Kernel: Disable support for tracing block I/O actions
Kernel: Pin loading kernel files to one filesystem
Kernel: Enable undefined behaviour sanity checker
Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
Kernel: Enable LSM support and set security level to "integrity"
Kernel: Trigger BUG if data corruption is detected
Kernel: Do not automatically load TTY line disciplines, only if
necessary
Kernel: Enable SVA support for both Intel and AMD CPUs
Kernel: Disable function and stack tracers
Kernel: Update rootfile for x86_64
config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++--------
config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++--------
config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++--------
config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++----------
config/rootfiles/common/x86_64/linux | 33 +++++++------
5 files changed, 131 insertions(+), 100 deletions(-)
--
2.34.1