-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello *,
during the past months, more and more vulnerabilities in modern CPUs were detected. At the moment, there is - - Spectre v1 and v2 - - Meltdown (sometimes referred to as Spectre v3) - - Spectre v4 - - a bunch of vulnerabilities similar to v4 (summarised as Spectre-NG) - - Spectre v5 - - and a lot more, at least five of them undisclosed.
Needless to say, this complex is a total nightmare for anybody caring about security - not only because of the technical issues, but mainly due to very sloppy responses from the hardware vendors (I cannot resist naming Intel here directly).
Further, the current CVE and patch situation (especially when it comes to the Linux kernel) is completely confusing, making it nearly impossible to check which has been backported whereto, addressing which security bulletin. In my humble opinion, the significance of security has decreased a lot and is still dropping. Being discontent with the overall security situation in the Linux kernel, the handling of recent CPU vulnerabilities did not help.
That being said, I would like to discuss some changes to improve security in IPFire, most of them at kernel or sysctl level.
(a) Disable hyperthreading by default? OpenBSD did so a while ago, arguing this makes some side-channel attacks more complicated or even impossible. HT was the source of some serious vulnerabilities in the past (starting around 2006), which is one reason why I never liked it too much. Would you consider disabling it acceptable (it will probably cause some performance impact)?
(b) Update kernel more frequently It seems to be necessary to ship new kernels more frequently, as some security fixes are backported to 4.14.x very quickly. Unfortunately, this causes updates to become very big, as C121/122 turned out, and I am not familiar with the procedure behind this. How often do we want to ship a new kernel? Every second update? Every forth? I have no idea... :-)
(c) Introduce kernel and sysctl hardening Fortunately, there are some configure flags and /etc/sysctl.conf settings improving the overall situation: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommende... Their implementation in IPFire is on my TODO list (forgive me for being slow during the last time) and filed here: https://bugzilla.ipfire.org/show_bug.cgi?id=11659
How small should the chunks be here? A patch for every changed setting or can portions be bigger (same applies on OpenSSH hardening as well)? Just asking to avoid unnecessary noise afterwards.
Comments? Anything I forgot here?
Thanks, and best regards, Peter Müller - -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq