This patchset improves hardening of our Linux kernel configurations for all architectures. Most importantly, it features the activation of the "Linux Security Module", also known as "kernel lockdown" (a phrase coined before the pandemic), or LSM for short.
Being set to "integrity" mode for a start, LSM prevents the kernel from being modified by various mechanisms, of which we have some already covered. However, it comes as a more holistic approach, which is why enabling it is desirable for our userbase.
Most of this patchset is based on recommendations by the "kconfig-hardened-check" tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration taken directly from KSPP and grsecurity.
Being unable to cross-compile IPFire for non-x86_64-architectures on my own, and my VM on the Mustang currently being offline, this patchset does not come with aligned kernel rootfiles for other architectures than x86_64. I am sorry for any inconvenience and extra workload caused by this.
Also, for the sake of completeness, the effect of LSM on virtualisation has not been tested due to time constraints, and a lack of oversight _which_ virtualisation features we officially support and which we don't. In doubt, however, I believe the security benefit gained from LSM outweighs a partial functional loss of virtualisation - but that is a highly biased opinion. :-)
Peter Müller (11): Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Kernel: Disable support for tracing block I/O actions Kernel: Pin loading kernel files to one filesystem Kernel: Enable undefined behaviour sanity checker Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Kernel: Enable LSM support and set security level to "integrity" Kernel: Trigger BUG if data corruption is detected Kernel: Do not automatically load TTY line disciplines, only if necessary Kernel: Enable SVA support for both Intel and AMD CPUs Kernel: Disable function and stack tracers Kernel: Update rootfile for x86_64
config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- config/rootfiles/common/x86_64/linux | 33 +++++++------ 5 files changed, 131 insertions(+), 100 deletions(-)
This follows a recommendation by ClipOS, making ASLR bypassing attempts harder.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6728fa7f3..4205aa5bc 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -702,7 +702,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y CONFIG_MODULES_USE_ELF_RELA=y CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y -CONFIG_ARCH_MMAP_RND_BITS=18 +CONFIG_ARCH_MMAP_RND_BITS=32 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y CONFIG_ARCH_MMAP_RND_COMPAT_BITS=11 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index d8482de92..ef36b8e22 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -778,7 +778,7 @@ CONFIG_MODULES_USE_ELF_REL=y CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y CONFIG_HAVE_EXIT_THREAD=y -CONFIG_ARCH_MMAP_RND_BITS=8 +CONFIG_ARCH_MMAP_RND_BITS=32 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y CONFIG_CLONE_BACKWARDS=y CONFIG_OLD_SIGSUSPEND3=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 73911b2ab..d8045c15c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -388,7 +388,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y CONFIG_MODULES_USE_ELF_RELA=y CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y -CONFIG_ARCH_MMAP_RND_BITS=18 +CONFIG_ARCH_MMAP_RND_BITS=32 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y CONFIG_CLONE_BACKWARDS=y CONFIG_COMPAT_32BIT_TIME=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 0f322826e..b14815545 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -742,7 +742,7 @@ CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y CONFIG_HAVE_EXIT_THREAD=y -CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_ARCH_MMAP_RND_BITS=32 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y
I feel we have talked about this on multiple occasions, yet it never made its way into the repository.
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 19 Mar 2022, at 21:08, Peter Müller peter.mueller@ipfire.org wrote:
This follows a recommendation by ClipOS, making ASLR bypassing attempts harder.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6728fa7f3..4205aa5bc 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -702,7 +702,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y CONFIG_MODULES_USE_ELF_RELA=y CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y -CONFIG_ARCH_MMAP_RND_BITS=18 +CONFIG_ARCH_MMAP_RND_BITS=32 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y CONFIG_ARCH_MMAP_RND_COMPAT_BITS=11 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index d8482de92..ef36b8e22 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -778,7 +778,7 @@ CONFIG_MODULES_USE_ELF_REL=y CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y CONFIG_HAVE_EXIT_THREAD=y -CONFIG_ARCH_MMAP_RND_BITS=8 +CONFIG_ARCH_MMAP_RND_BITS=32 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y CONFIG_CLONE_BACKWARDS=y CONFIG_OLD_SIGSUSPEND3=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 73911b2ab..d8045c15c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -388,7 +388,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y CONFIG_MODULES_USE_ELF_RELA=y CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y -CONFIG_ARCH_MMAP_RND_BITS=18 +CONFIG_ARCH_MMAP_RND_BITS=32 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y CONFIG_CLONE_BACKWARDS=y CONFIG_COMPAT_32BIT_TIME=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 0f322826e..b14815545 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -742,7 +742,7 @@ CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y CONFIG_HAVE_EXIT_THREAD=y -CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_ARCH_MMAP_RND_BITS=32 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y -- 2.34.1
This is not needed on IPFire systems, and grsecurity recommends to turn this off.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 4205aa5bc..35c249253 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -8166,7 +8166,7 @@ CONFIG_TRACER_SNAPSHOT=y # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set -CONFIG_BLK_DEV_IO_TRACE=y +# CONFIG_BLK_DEV_IO_TRACE is not set CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index ef36b8e22..5b4ff8e20 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -8133,7 +8133,7 @@ CONFIG_TRACER_SNAPSHOT=y CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set # CONFIG_PROFILE_ALL_BRANCHES is not set -CONFIG_BLK_DEV_IO_TRACE=y +# CONFIG_BLK_DEV_IO_TRACE is not set CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index d8045c15c..d4c0e0451 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6754,7 +6754,7 @@ CONFIG_TRACER_SNAPSHOT=y # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set -CONFIG_BLK_DEV_IO_TRACE=y +# CONFIG_BLK_DEV_IO_TRACE is not set CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b14815545..8b525ef89 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -7605,7 +7605,7 @@ CONFIG_TRACER_SNAPSHOT=y # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set -CONFIG_BLK_DEV_IO_TRACE=y +# CONFIG_BLK_DEV_IO_TRACE is not set CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y
Agreed.
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 19 Mar 2022, at 21:08, Peter Müller peter.mueller@ipfire.org wrote:
This is not needed on IPFire systems, and grsecurity recommends to turn this off.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 4205aa5bc..35c249253 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -8166,7 +8166,7 @@ CONFIG_TRACER_SNAPSHOT=y # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set -CONFIG_BLK_DEV_IO_TRACE=y +# CONFIG_BLK_DEV_IO_TRACE is not set CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index ef36b8e22..5b4ff8e20 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -8133,7 +8133,7 @@ CONFIG_TRACER_SNAPSHOT=y CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set # CONFIG_PROFILE_ALL_BRANCHES is not set -CONFIG_BLK_DEV_IO_TRACE=y +# CONFIG_BLK_DEV_IO_TRACE is not set CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index d8045c15c..d4c0e0451 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6754,7 +6754,7 @@ CONFIG_TRACER_SNAPSHOT=y # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set -CONFIG_BLK_DEV_IO_TRACE=y +# CONFIG_BLK_DEV_IO_TRACE is not set CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b14815545..8b525ef89 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -7605,7 +7605,7 @@ CONFIG_TRACER_SNAPSHOT=y # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set -CONFIG_BLK_DEV_IO_TRACE=y +# CONFIG_BLK_DEV_IO_TRACE is not set CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y -- 2.34.1
This can be safely enabled on IPFire, as we never swap filesystems during runtime.
Fixes: #12432
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 3 ++- config/kernel/kernel.config.armv6l-ipfire | 3 ++- config/kernel/kernel.config.riscv64-ipfire | 3 ++- config/kernel/kernel.config.x86_64-ipfire | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 35c249253..d9179c061 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 5b4ff8e20..522278160 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index d4c0e0451..ebb830eb7 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 8b525ef89..675c3ce1e 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set
At my knowledge enforce loadpin is incompatible with initramfs. https://lwn.net/Articles/682302/
Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware so i think we cannot apply this!
Arne
Am 2022-03-19 22:09, schrieb Peter Müller:
This can be safely enabled on IPFire, as we never swap filesystems during runtime.
Fixes: #12432
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 3 ++- config/kernel/kernel.config.armv6l-ipfire | 3 ++- config/kernel/kernel.config.riscv64-ipfire | 3 ++- config/kernel/kernel.config.x86_64-ipfire | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 35c249253..d9179c061 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 5b4ff8e20..522278160 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index d4c0e0451..ebb830eb7 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 8b525ef89..675c3ce1e 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set
Hello,
On 21 Mar 2022, at 17:15, Arne Fitzenreiter arne_f@ipfire.org wrote:
At my knowledge enforce loadpin is incompatible with initramfs. https://lwn.net/Articles/682302/
I cannot find that being mentioned in this article. And I am not sure whether the initramdisk counts as its own file system.
Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware so i think we cannot apply this!
The firmware currently is in /lib/firmware and since we have now a way to compress it, there is no need to move it any more. That should allow us enabling this switch.
Best, -Michael
Arne
Am 2022-03-19 22:09, schrieb Peter Müller:
This can be safely enabled on IPFire, as we never swap filesystems during runtime. Fixes: #12432 Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 3 ++- config/kernel/kernel.config.armv6l-ipfire | 3 ++- config/kernel/kernel.config.riscv64-ipfire | 3 ++- config/kernel/kernel.config.x86_64-ipfire | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 35c249253..d9179c061 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 5b4ff8e20..522278160 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index d4c0e0451..ebb830eb7 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 8b525ef89..675c3ce1e 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set
Den 2022-03-21 19:50, skrev Michael Tremer:
Hello,
On 21 Mar 2022, at 17:15, Arne Fitzenreiter arne_f@ipfire.org wrote:
At my knowledge enforce loadpin is incompatible with initramfs. https://lwn.net/Articles/682302/
I cannot find that being mentioned in this article. And I am not sure whether the initramdisk counts as its own file system.
Quoting what I think is the relevant section from the article " The current module is also likely to run into trouble on systems that boot with an initramfs image; the first modules will almost certainly be loaded from that image (that's why it exists, usually), causing loads to be pinned to a temporary filesystem that will go away at the end of the bootstrap process. In the current patch, if the filesystem to which loading is pinned disappears, loading of files will be disabled entirely — behavior that makes sense, but which may not lead to the desired results in an initramfs setting. "
And a somewhat related discussion https://forums.gentoo.org/viewtopic-p-8686594.html?sid=bbf2ffea6f1ad4a3f6907...
And a patch to the kernel, which I could not figure out if has been merged https://lkml.org/lkml/2021/4/8/1446 But it does not seem to be merged to me https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772...
Alf
Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware so i think we cannot apply this!
The firmware currently is in /lib/firmware and since we have now a way to compress it, there is no need to move it any more. That should allow us enabling this switch.
Best, -Michael
Arne
Am 2022-03-19 22:09, schrieb Peter Müller:
This can be safely enabled on IPFire, as we never swap filesystems during runtime. Fixes: #12432 Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 3 ++- config/kernel/kernel.config.armv6l-ipfire | 3 ++- config/kernel/kernel.config.riscv64-ipfire | 3 ++- config/kernel/kernel.config.x86_64-ipfire | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 35c249253..d9179c061 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 5b4ff8e20..522278160 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index d4c0e0451..ebb830eb7 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 8b525ef89..675c3ce1e 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set
Hello,
Hmm, Peter confirmed to me that this works on the kernel he built.
On 21 Mar 2022, at 20:24, alf@i100.no wrote:
Den 2022-03-21 19:50, skrev Michael Tremer:
Hello,
On 21 Mar 2022, at 17:15, Arne Fitzenreiter arne_f@ipfire.org wrote: At my knowledge enforce loadpin is incompatible with initramfs. https://lwn.net/Articles/682302/
I cannot find that being mentioned in this article. And I am not sure whether the initramdisk counts as its own file system.
Quoting what I think is the relevant section from the article " The current module is also likely to run into trouble on systems that boot with an initramfs image; the first modules will almost certainly be loaded from that image (that's why it exists, usually), causing loads to be pinned to a temporary filesystem that will go away at the end of the bootstrap process. In the current patch, if the filesystem to which loading is pinned disappears, loading of files will be disabled entirely — behavior that makes sense, but which may not lead to the desired results in an initramfs setting. "
Thank you for helping me finding the correct paragraph.
And a somewhat related discussion https://forums.gentoo.org/viewtopic-p-8686594.html?sid=bbf2ffea6f1ad4a3f6907...
I generally do agree that it does not make a lot of sense for kernel modules to have this enabled. We sign our kernel modules anyways which means that we do not need to trust the filesystem we load them from. However, there is some benefit here for firmware and other files the kernel loads. Those have no protection, and we can slightly mitigate any attacks here. How likely is this? Very unlikely, but still we can protect ourselves against them.
So this means that we potentially cannot enable the ENFORCE mode. But we can boot up the system and very early in the boot process set the loadpin sysctl so that any other file systems being mounted after that point can be used to load any files into the kernel.
@Peter: Would you please change the patch?
-Michael
And a patch to the kernel, which I could not figure out if has been merged https://lkml.org/lkml/2021/4/8/1446 But it does not seem to be merged to me https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772...
Alf
Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware so i think we cannot apply this!
The firmware currently is in /lib/firmware and since we have now a way to compress it, there is no need to move it any more. That should allow us enabling this switch. Best, -Michael
Arne Am 2022-03-19 22:09, schrieb Peter Müller:
This can be safely enabled on IPFire, as we never swap filesystems during runtime. Fixes: #12432 Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 3 ++- config/kernel/kernel.config.armv6l-ipfire | 3 ++- config/kernel/kernel.config.riscv64-ipfire | 3 ++- config/kernel/kernel.config.x86_64-ipfire | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 35c249253..d9179c061 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 5b4ff8e20..522278160 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index d4c0e0451..ebb830eb7 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 8b525ef89..675c3ce1e 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 13 ++++++++++++- config/kernel/kernel.config.armv6l-ipfire | 13 ++++++++++++- config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++- config/kernel/kernel.config.x86_64-ipfire | 13 ++++++++++++- 4 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index d9179c061..b2ef43e51 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -8008,7 +8008,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y -# CONFIG_UBSAN is not set +CONFIG_UBSAN=y +# CONFIG_UBSAN_TRAP is not set +CONFIG_CC_HAS_UBSAN_BOUNDS=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_ONLY_BOUNDS=y +CONFIG_UBSAN_SHIFT=y +# CONFIG_UBSAN_DIV_ZERO is not set +CONFIG_UBSAN_BOOL=y +CONFIG_UBSAN_ENUM=y +# CONFIG_UBSAN_ALIGNMENT is not set +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_TEST_UBSAN is not set CONFIG_HAVE_KCSAN_COMPILER=y # end of Generic Kernel Debugging Instruments
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 522278160..13326a29c 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7989,7 +7989,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y # CONFIG_DEBUG_FS_ALLOW_NONE is not set CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set -# CONFIG_UBSAN is not set +CONFIG_UBSAN=y +# CONFIG_UBSAN_TRAP is not set +CONFIG_CC_HAS_UBSAN_BOUNDS=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_ONLY_BOUNDS=y +CONFIG_UBSAN_SHIFT=y +# CONFIG_UBSAN_DIV_ZERO is not set +CONFIG_UBSAN_BOOL=y +CONFIG_UBSAN_ENUM=y +# CONFIG_UBSAN_ALIGNMENT is not set +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_TEST_UBSAN is not set CONFIG_HAVE_KCSAN_COMPILER=y # end of Generic Kernel Debugging Instruments
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index ebb830eb7..fa4ee46fa 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6597,7 +6597,18 @@ CONFIG_HAVE_ARCH_KGDB=y CONFIG_HAVE_ARCH_KGDB_QXFER_PKT=y # CONFIG_KGDB is not set CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y -# CONFIG_UBSAN is not set +CONFIG_UBSAN=y +# CONFIG_UBSAN_TRAP is not set +CONFIG_CC_HAS_UBSAN_BOUNDS=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_ONLY_BOUNDS=y +CONFIG_UBSAN_SHIFT=y +# CONFIG_UBSAN_DIV_ZERO is not set +CONFIG_UBSAN_BOOL=y +CONFIG_UBSAN_ENUM=y +# CONFIG_UBSAN_ALIGNMENT is not set +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_TEST_UBSAN is not set CONFIG_HAVE_KCSAN_COMPILER=y # end of Generic Kernel Debugging Instruments
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 675c3ce1e..e6a03a9e5 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -7430,7 +7430,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y -# CONFIG_UBSAN is not set +CONFIG_UBSAN=y +# CONFIG_UBSAN_TRAP is not set +CONFIG_CC_HAS_UBSAN_BOUNDS=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_ONLY_BOUNDS=y +CONFIG_UBSAN_SHIFT=y +# CONFIG_UBSAN_DIV_ZERO is not set +CONFIG_UBSAN_BOOL=y +CONFIG_UBSAN_ENUM=y +# CONFIG_UBSAN_ALIGNMENT is not set +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_TEST_UBSAN is not set CONFIG_HAVE_ARCH_KCSAN=y CONFIG_HAVE_KCSAN_COMPILER=y # CONFIG_KCSAN is not set
Hello,
The documentation for this says that CONFIG_UBSAN_SANITIZE_ALL will massively increase the size of the kernel.
How much is this? A larger kernel generally means slower execution. Did you perform any benchmarks?
On 19 Mar 2022, at 21:09, Peter Müller peter.mueller@ipfire.org wrote:
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 13 ++++++++++++- config/kernel/kernel.config.armv6l-ipfire | 13 ++++++++++++- config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++- config/kernel/kernel.config.x86_64-ipfire | 13 ++++++++++++- 4 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index d9179c061..b2ef43e51 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -8008,7 +8008,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y -# CONFIG_UBSAN is not set +CONFIG_UBSAN=y +# CONFIG_UBSAN_TRAP is not set +CONFIG_CC_HAS_UBSAN_BOUNDS=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_ONLY_BOUNDS=y +CONFIG_UBSAN_SHIFT=y +# CONFIG_UBSAN_DIV_ZERO is not set +CONFIG_UBSAN_BOOL=y +CONFIG_UBSAN_ENUM=y +# CONFIG_UBSAN_ALIGNMENT is not set +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_TEST_UBSAN is not set CONFIG_HAVE_KCSAN_COMPILER=y # end of Generic Kernel Debugging Instruments
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 522278160..13326a29c 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7989,7 +7989,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y # CONFIG_DEBUG_FS_ALLOW_NONE is not set CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set -# CONFIG_UBSAN is not set +CONFIG_UBSAN=y +# CONFIG_UBSAN_TRAP is not set +CONFIG_CC_HAS_UBSAN_BOUNDS=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_ONLY_BOUNDS=y +CONFIG_UBSAN_SHIFT=y +# CONFIG_UBSAN_DIV_ZERO is not set +CONFIG_UBSAN_BOOL=y +CONFIG_UBSAN_ENUM=y +# CONFIG_UBSAN_ALIGNMENT is not set +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_TEST_UBSAN is not set CONFIG_HAVE_KCSAN_COMPILER=y # end of Generic Kernel Debugging Instruments
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index ebb830eb7..fa4ee46fa 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6597,7 +6597,18 @@ CONFIG_HAVE_ARCH_KGDB=y CONFIG_HAVE_ARCH_KGDB_QXFER_PKT=y # CONFIG_KGDB is not set CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y -# CONFIG_UBSAN is not set +CONFIG_UBSAN=y +# CONFIG_UBSAN_TRAP is not set +CONFIG_CC_HAS_UBSAN_BOUNDS=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_ONLY_BOUNDS=y +CONFIG_UBSAN_SHIFT=y +# CONFIG_UBSAN_DIV_ZERO is not set +CONFIG_UBSAN_BOOL=y +CONFIG_UBSAN_ENUM=y +# CONFIG_UBSAN_ALIGNMENT is not set +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_TEST_UBSAN is not set CONFIG_HAVE_KCSAN_COMPILER=y # end of Generic Kernel Debugging Instruments
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 675c3ce1e..e6a03a9e5 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -7430,7 +7430,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y -# CONFIG_UBSAN is not set +CONFIG_UBSAN=y +# CONFIG_UBSAN_TRAP is not set +CONFIG_CC_HAS_UBSAN_BOUNDS=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_ONLY_BOUNDS=y +CONFIG_UBSAN_SHIFT=y +# CONFIG_UBSAN_DIV_ZERO is not set +CONFIG_UBSAN_BOOL=y +CONFIG_UBSAN_ENUM=y +# CONFIG_UBSAN_ALIGNMENT is not set +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_TEST_UBSAN is not set CONFIG_HAVE_ARCH_KCSAN=y CONFIG_HAVE_KCSAN_COMPILER=y
# CONFIG_KCSAN is not set
2.34.1
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index b2ef43e51..b485c2fb6 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7558,7 +7558,7 @@ CONFIG_FORTIFY_SOURCE=y CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set -# CONFIG_SECURITY_SAFESETID is not set +CONFIG_SECURITY_SAFESETID=y # CONFIG_SECURITY_LOCKDOWN_LSM is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 13326a29c..98b554d91 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7562,7 +7562,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set -# CONFIG_SECURITY_SAFESETID is not set +CONFIG_SECURITY_SAFESETID=y # CONFIG_SECURITY_LOCKDOWN_LSM is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index fa4ee46fa..b595ae8cd 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6195,7 +6195,7 @@ CONFIG_FORTIFY_SOURCE=y CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set -# CONFIG_SECURITY_SAFESETID is not set +CONFIG_SECURITY_SAFESETID=y # CONFIG_SECURITY_LOCKDOWN_LSM is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index e6a03a9e5..b325feb1d 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set -# CONFIG_SECURITY_SAFESETID is not set +CONFIG_SECURITY_SAFESETID=y # CONFIG_SECURITY_LOCKDOWN_LSM is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y
Where is this whitelist defined then?
We use setuid and I would assume that this change will break all misc-progs.
-Michael
On 19 Mar 2022, at 21:09, Peter Müller peter.mueller@ipfire.org wrote:
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index b2ef43e51..b485c2fb6 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7558,7 +7558,7 @@ CONFIG_FORTIFY_SOURCE=y CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set -# CONFIG_SECURITY_SAFESETID is not set +CONFIG_SECURITY_SAFESETID=y # CONFIG_SECURITY_LOCKDOWN_LSM is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 13326a29c..98b554d91 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7562,7 +7562,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set -# CONFIG_SECURITY_SAFESETID is not set +CONFIG_SECURITY_SAFESETID=y # CONFIG_SECURITY_LOCKDOWN_LSM is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index fa4ee46fa..b595ae8cd 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6195,7 +6195,7 @@ CONFIG_FORTIFY_SOURCE=y CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set -# CONFIG_SECURITY_SAFESETID is not set +CONFIG_SECURITY_SAFESETID=y # CONFIG_SECURITY_LOCKDOWN_LSM is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index e6a03a9e5..b325feb1d 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set -# CONFIG_SECURITY_SAFESETID is not set +CONFIG_SECURITY_SAFESETID=y # CONFIG_SECURITY_LOCKDOWN_LSM is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y -- 2.34.1
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 6 +++++- config/kernel/kernel.config.armv6l-ipfire | 6 +++++- config/kernel/kernel.config.riscv64-ipfire | 6 +++++- config/kernel/kernel.config.x86_64-ipfire | 6 +++++- 4 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index b485c2fb6..356d9051d 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7559,7 +7559,11 @@ CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set CONFIG_SECURITY_SAFESETID=y -# CONFIG_SECURITY_LOCKDOWN_LSM is not set +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 98b554d91..9dab473d4 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7563,7 +7563,11 @@ CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set CONFIG_SECURITY_SAFESETID=y -# CONFIG_SECURITY_LOCKDOWN_LSM is not set +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index b595ae8cd..adef88dc9 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6196,7 +6196,11 @@ CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set CONFIG_SECURITY_SAFESETID=y -# CONFIG_SECURITY_LOCKDOWN_LSM is not set +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b325feb1d..222b2dc53 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6972,7 +6972,11 @@ CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set CONFIG_SECURITY_SAFESETID=y -# CONFIG_SECURITY_LOCKDOWN_LSM is not set +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set
This looks good to me.
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 19 Mar 2022, at 21:10, Peter Müller peter.mueller@ipfire.org wrote:
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 6 +++++- config/kernel/kernel.config.armv6l-ipfire | 6 +++++- config/kernel/kernel.config.riscv64-ipfire | 6 +++++- config/kernel/kernel.config.x86_64-ipfire | 6 +++++- 4 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index b485c2fb6..356d9051d 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7559,7 +7559,11 @@ CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set CONFIG_SECURITY_SAFESETID=y -# CONFIG_SECURITY_LOCKDOWN_LSM is not set +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 98b554d91..9dab473d4 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7563,7 +7563,11 @@ CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set CONFIG_SECURITY_SAFESETID=y -# CONFIG_SECURITY_LOCKDOWN_LSM is not set +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index b595ae8cd..adef88dc9 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6196,7 +6196,11 @@ CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set CONFIG_SECURITY_SAFESETID=y -# CONFIG_SECURITY_LOCKDOWN_LSM is not set +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b325feb1d..222b2dc53 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6972,7 +6972,11 @@ CONFIG_SECURITY_LOADPIN=y CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set CONFIG_SECURITY_SAFESETID=y -# CONFIG_SECURITY_LOCKDOWN_LSM is not set +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
2.34.1
Since we cannot trust the kernel to do the right thing (tm) in such a situation anymore, triggering a BUG is less bad than running on a kernel in an undefined state.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 4 ++-- config/kernel/kernel.config.armv6l-ipfire | 4 ++-- config/kernel/kernel.config.riscv64-ipfire | 4 ++-- config/kernel/kernel.config.x86_64-ipfire | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 356d9051d..06379d544 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -8125,11 +8125,11 @@ CONFIG_STACKTRACE=y # # Debug kernel data structures # -# CONFIG_DEBUG_LIST is not set +CONFIG_DEBUG_LIST=y # CONFIG_DEBUG_PLIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 9dab473d4..68e37304a 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -8091,11 +8091,11 @@ CONFIG_STACKTRACE=y # # Debug kernel data structures # -# CONFIG_DEBUG_LIST is not set +CONFIG_DEBUG_LIST=y # CONFIG_DEBUG_PLIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index adef88dc9..8cec9a200 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6714,11 +6714,11 @@ CONFIG_STACKTRACE=y # # Debug kernel data structures # -# CONFIG_DEBUG_LIST is not set +CONFIG_DEBUG_LIST=y # CONFIG_DEBUG_PLIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 222b2dc53..0c6731bd1 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -7556,11 +7556,11 @@ CONFIG_STACKTRACE=y # # Debug kernel data structures # -# CONFIG_DEBUG_LIST is not set +CONFIG_DEBUG_LIST=y # CONFIG_DEBUG_PLIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set
I don’t quite follow what the benefit of this is.
The kernel would log something. That is it. Not bad, but I don’t see how this would help.
On 19 Mar 2022, at 21:10, Peter Müller peter.mueller@ipfire.org wrote:
Since we cannot trust the kernel to do the right thing (tm) in such a situation anymore, triggering a BUG is less bad than running on a kernel in an undefined state.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 4 ++-- config/kernel/kernel.config.armv6l-ipfire | 4 ++-- config/kernel/kernel.config.riscv64-ipfire | 4 ++-- config/kernel/kernel.config.x86_64-ipfire | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 356d9051d..06379d544 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -8125,11 +8125,11 @@ CONFIG_STACKTRACE=y # # Debug kernel data structures # -# CONFIG_DEBUG_LIST is not set +CONFIG_DEBUG_LIST=y
Why did this have to be changed? CONFIG_BUG_ON_DATA_CORRUPTION does not depends on this as far as I can see.
# CONFIG_DEBUG_PLIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 9dab473d4..68e37304a 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -8091,11 +8091,11 @@ CONFIG_STACKTRACE=y # # Debug kernel data structures # -# CONFIG_DEBUG_LIST is not set +CONFIG_DEBUG_LIST=y # CONFIG_DEBUG_PLIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index adef88dc9..8cec9a200 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6714,11 +6714,11 @@ CONFIG_STACKTRACE=y # # Debug kernel data structures # -# CONFIG_DEBUG_LIST is not set +CONFIG_DEBUG_LIST=y # CONFIG_DEBUG_PLIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 222b2dc53..0c6731bd1 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -7556,11 +7556,11 @@ CONFIG_STACKTRACE=y # # Debug kernel data structures # -# CONFIG_DEBUG_LIST is not set +CONFIG_DEBUG_LIST=y # CONFIG_DEBUG_PLIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set
2.34.1
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 06379d544..0fcbed4a2 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -3410,7 +3410,7 @@ CONFIG_HW_CONSOLE=y CONFIG_VT_HW_CONSOLE_BINDING=y CONFIG_UNIX98_PTYS=y # CONFIG_LEGACY_PTYS is not set -CONFIG_LDISC_AUTOLOAD=y +# CONFIG_LDISC_AUTOLOAD is not set
# # Serial drivers diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 68e37304a..468c74112 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -3397,7 +3397,7 @@ CONFIG_HW_CONSOLE=y CONFIG_VT_HW_CONSOLE_BINDING=y CONFIG_UNIX98_PTYS=y # CONFIG_LEGACY_PTYS is not set -CONFIG_LDISC_AUTOLOAD=y +# CONFIG_LDISC_AUTOLOAD is not set
# # Serial drivers diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 8cec9a200..de975e3f0 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -2915,7 +2915,7 @@ CONFIG_HW_CONSOLE=y CONFIG_VT_HW_CONSOLE_BINDING=y CONFIG_UNIX98_PTYS=y # CONFIG_LEGACY_PTYS is not set -CONFIG_LDISC_AUTOLOAD=y +# CONFIG_LDISC_AUTOLOAD is not set
# # Serial drivers diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 0c6731bd1..0b9c79209 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -3382,7 +3382,7 @@ CONFIG_HW_CONSOLE=y CONFIG_VT_HW_CONSOLE_BINDING=y CONFIG_UNIX98_PTYS=y # CONFIG_LEGACY_PTYS is not set -CONFIG_LDISC_AUTOLOAD=y +# CONFIG_LDISC_AUTOLOAD is not set
# # Serial drivers
This patch has been submitted so many times. *Please* make sure it is not going over my table again.
On 19 Mar 2022, at 21:10, Peter Müller peter.mueller@ipfire.org wrote:
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 06379d544..0fcbed4a2 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -3410,7 +3410,7 @@ CONFIG_HW_CONSOLE=y CONFIG_VT_HW_CONSOLE_BINDING=y CONFIG_UNIX98_PTYS=y # CONFIG_LEGACY_PTYS is not set -CONFIG_LDISC_AUTOLOAD=y +# CONFIG_LDISC_AUTOLOAD is not set
# # Serial drivers diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 68e37304a..468c74112 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -3397,7 +3397,7 @@ CONFIG_HW_CONSOLE=y CONFIG_VT_HW_CONSOLE_BINDING=y CONFIG_UNIX98_PTYS=y # CONFIG_LEGACY_PTYS is not set -CONFIG_LDISC_AUTOLOAD=y +# CONFIG_LDISC_AUTOLOAD is not set
# # Serial drivers diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 8cec9a200..de975e3f0 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -2915,7 +2915,7 @@ CONFIG_HW_CONSOLE=y CONFIG_VT_HW_CONSOLE_BINDING=y CONFIG_UNIX98_PTYS=y # CONFIG_LEGACY_PTYS is not set -CONFIG_LDISC_AUTOLOAD=y +# CONFIG_LDISC_AUTOLOAD is not set
# # Serial drivers diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 0c6731bd1..0b9c79209 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -3382,7 +3382,7 @@ CONFIG_HW_CONSOLE=y CONFIG_VT_HW_CONSOLE_BINDING=y CONFIG_UNIX98_PTYS=y # CONFIG_LEGACY_PTYS is not set -CONFIG_LDISC_AUTOLOAD=y +# CONFIG_LDISC_AUTOLOAD is not set
#
# Serial drivers
2.34.1
Since running virtual machines is one of our legitimate use cases, it makes sense to provide Qemu with the ability of taking advantage of IOMMU support for safer virtuall memory allocation, if available.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.x86_64-ipfire | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 0b9c79209..42275d26f 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6179,6 +6179,7 @@ CONFIG_INTEL_IDMA64=m CONFIG_INTEL_IDXD_BUS=m CONFIG_INTEL_IDXD=m # CONFIG_INTEL_IDXD_COMPAT is not set +# CONFIG_INTEL_IDXD_SVM is not set # CONFIG_INTEL_IDXD_PERFMON is not set CONFIG_INTEL_IOATDMA=m CONFIG_PLX_DMA=m @@ -6476,11 +6477,12 @@ CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set CONFIG_IOMMU_DMA=y +CONFIG_IOMMU_SVA_LIB=y CONFIG_AMD_IOMMU=y -# CONFIG_AMD_IOMMU_V2 is not set +CONFIG_AMD_IOMMU_V2=y CONFIG_DMAR_TABLE=y CONFIG_INTEL_IOMMU=y -# CONFIG_INTEL_IOMMU_SVM is not set +CONFIG_INTEL_IOMMU_SVM=y # CONFIG_INTEL_IOMMU_DEFAULT_ON is not set CONFIG_INTEL_IOMMU_FLOPPY_WA=y # CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
Acked-by: Michael Tremer michael.tremer@ipfire.org
On 19 Mar 2022, at 21:10, Peter Müller peter.mueller@ipfire.org wrote:
Since running virtual machines is one of our legitimate use cases, it makes sense to provide Qemu with the ability of taking advantage of IOMMU support for safer virtuall memory allocation, if available.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.x86_64-ipfire | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 0b9c79209..42275d26f 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6179,6 +6179,7 @@ CONFIG_INTEL_IDMA64=m CONFIG_INTEL_IDXD_BUS=m CONFIG_INTEL_IDXD=m # CONFIG_INTEL_IDXD_COMPAT is not set +# CONFIG_INTEL_IDXD_SVM is not set # CONFIG_INTEL_IDXD_PERFMON is not set CONFIG_INTEL_IOATDMA=m CONFIG_PLX_DMA=m @@ -6476,11 +6477,12 @@ CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set CONFIG_IOMMU_DMA=y +CONFIG_IOMMU_SVA_LIB=y CONFIG_AMD_IOMMU=y -# CONFIG_AMD_IOMMU_V2 is not set +CONFIG_AMD_IOMMU_V2=y CONFIG_DMAR_TABLE=y CONFIG_INTEL_IOMMU=y -# CONFIG_INTEL_IOMMU_SVM is not set +CONFIG_INTEL_IOMMU_SVM=y # CONFIG_INTEL_IOMMU_DEFAULT_ON is not set CONFIG_INTEL_IOMMU_FLOPPY_WA=y
# CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
2.34.1
grsecurity recommends to disable this on non-development systems for reducing attack surface. Since we never debug the kernel that deeply on a productive system, it makes sense to follow this recommendation.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 13 ++----------- config/kernel/kernel.config.armv6l-ipfire | 13 ++----------- config/kernel/kernel.config.riscv64-ipfire | 13 ++----------- config/kernel/kernel.config.x86_64-ipfire | 17 ++--------------- 4 files changed, 8 insertions(+), 48 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 0fcbed4a2..5bd15cc48 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -126,8 +126,6 @@ CONFIG_TREE_RCU=y # CONFIG_RCU_EXPERT is not set CONFIG_SRCU=y CONFIG_TREE_SRCU=y -CONFIG_TASKS_RCU_GENERIC=y -CONFIG_TASKS_RUDE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -7410,7 +7408,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set -# CONFIG_PSTORE_FTRACE is not set # CONFIG_PSTORE_RAM is not set # CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set @@ -8166,12 +8163,8 @@ CONFIG_GENERIC_TRACER=y CONFIG_TRACING_SUPPORT=y CONFIG_FTRACE=y # CONFIG_BOOTTIME_TRACING is not set -CONFIG_FUNCTION_TRACER=y -CONFIG_FUNCTION_GRAPH_TRACER=y -CONFIG_DYNAMIC_FTRACE=y -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y -CONFIG_FUNCTION_PROFILER=y -CONFIG_STACK_TRACER=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set # CONFIG_IRQSOFF_TRACER is not set CONFIG_SCHED_TRACER=y # CONFIG_HWLAT_TRACER is not set @@ -8186,7 +8179,6 @@ CONFIG_BRANCH_PROFILE_NONE=y CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y -CONFIG_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y # CONFIG_SYNTH_EVENTS is not set # CONFIG_HIST_TRIGGERS is not set @@ -8194,7 +8186,6 @@ CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y # CONFIG_TRACEPOINT_BENCHMARK is not set CONFIG_RING_BUFFER_BENCHMARK=m # CONFIG_TRACE_EVAL_MAP_FILE is not set -# CONFIG_FTRACE_RECORD_RECURSION is not set # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_RING_BUFFER_STARTUP_TEST is not set # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 468c74112..06010f893 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -133,8 +133,6 @@ CONFIG_TREE_RCU=y # CONFIG_RCU_EXPERT is not set CONFIG_SRCU=y CONFIG_TREE_SRCU=y -CONFIG_TASKS_RCU_GENERIC=y -CONFIG_TASKS_RUDE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -7414,7 +7412,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set -# CONFIG_PSTORE_FTRACE is not set # CONFIG_PSTORE_RAM is not set # CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set @@ -8132,12 +8129,8 @@ CONFIG_GENERIC_TRACER=y CONFIG_TRACING_SUPPORT=y CONFIG_FTRACE=y # CONFIG_BOOTTIME_TRACING is not set -CONFIG_FUNCTION_TRACER=y -CONFIG_FUNCTION_GRAPH_TRACER=y -CONFIG_DYNAMIC_FTRACE=y -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y -CONFIG_FUNCTION_PROFILER=y -CONFIG_STACK_TRACER=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set # CONFIG_IRQSOFF_TRACER is not set CONFIG_SCHED_TRACER=y # CONFIG_HWLAT_TRACER is not set @@ -8153,7 +8146,6 @@ CONFIG_BRANCH_PROFILE_NONE=y CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y -CONFIG_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y # CONFIG_SYNTH_EVENTS is not set # CONFIG_HIST_TRIGGERS is not set @@ -8161,7 +8153,6 @@ CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y # CONFIG_TRACEPOINT_BENCHMARK is not set CONFIG_RING_BUFFER_BENCHMARK=m # CONFIG_TRACE_EVAL_MAP_FILE is not set -# CONFIG_FTRACE_RECORD_RECURSION is not set # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_RING_BUFFER_STARTUP_TEST is not set # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index de975e3f0..6b0aa466f 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -119,8 +119,6 @@ CONFIG_TREE_RCU=y # CONFIG_RCU_EXPERT is not set CONFIG_SRCU=y CONFIG_TREE_SRCU=y -CONFIG_TASKS_RCU_GENERIC=y -CONFIG_TASKS_RUDE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -6047,7 +6045,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set -# CONFIG_PSTORE_FTRACE is not set # CONFIG_PSTORE_RAM is not set # CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set @@ -6754,12 +6751,8 @@ CONFIG_GENERIC_TRACER=y CONFIG_TRACING_SUPPORT=y CONFIG_FTRACE=y # CONFIG_BOOTTIME_TRACING is not set -CONFIG_FUNCTION_TRACER=y -CONFIG_FUNCTION_GRAPH_TRACER=y -CONFIG_DYNAMIC_FTRACE=y -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y -CONFIG_FUNCTION_PROFILER=y -CONFIG_STACK_TRACER=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set # CONFIG_IRQSOFF_TRACER is not set CONFIG_SCHED_TRACER=y # CONFIG_HWLAT_TRACER is not set @@ -6774,14 +6767,12 @@ CONFIG_BRANCH_PROFILE_NONE=y CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y -CONFIG_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y # CONFIG_SYNTH_EVENTS is not set # CONFIG_TRACE_EVENT_INJECT is not set # CONFIG_TRACEPOINT_BENCHMARK is not set CONFIG_RING_BUFFER_BENCHMARK=m # CONFIG_TRACE_EVAL_MAP_FILE is not set -# CONFIG_FTRACE_RECORD_RECURSION is not set # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_RING_BUFFER_STARTUP_TEST is not set # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 42275d26f..eee5e4a55 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -146,8 +146,6 @@ CONFIG_TREE_RCU=y # CONFIG_RCU_EXPERT is not set CONFIG_SRCU=y CONFIG_TREE_SRCU=y -CONFIG_TASKS_RCU_GENERIC=y -CONFIG_TASKS_RUDE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -476,7 +474,6 @@ CONFIG_LEGACY_VSYSCALL_NONE=y # CONFIG_CMDLINE_BOOL is not set # CONFIG_MODIFY_LDT_SYSCALL is not set CONFIG_HAVE_LIVEPATCH=y -# CONFIG_LIVEPATCH is not set # end of Processor type and features
CONFIG_ARCH_HAS_ADD_PAGES=y @@ -6823,7 +6820,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set -# CONFIG_PSTORE_FTRACE is not set # CONFIG_PSTORE_RAM is not set # CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set @@ -7604,14 +7600,8 @@ CONFIG_GENERIC_TRACER=y CONFIG_TRACING_SUPPORT=y CONFIG_FTRACE=y # CONFIG_BOOTTIME_TRACING is not set -CONFIG_FUNCTION_TRACER=y -CONFIG_FUNCTION_GRAPH_TRACER=y -CONFIG_DYNAMIC_FTRACE=y -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y -CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y -CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y -CONFIG_FUNCTION_PROFILER=y -CONFIG_STACK_TRACER=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set # CONFIG_IRQSOFF_TRACER is not set CONFIG_SCHED_TRACER=y # CONFIG_HWLAT_TRACER is not set @@ -7627,15 +7617,12 @@ CONFIG_BRANCH_PROFILE_NONE=y CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y -CONFIG_FTRACE_MCOUNT_RECORD=y -CONFIG_FTRACE_MCOUNT_USE_CC=y # CONFIG_SYNTH_EVENTS is not set # CONFIG_HIST_TRIGGERS is not set # CONFIG_TRACE_EVENT_INJECT is not set # CONFIG_TRACEPOINT_BENCHMARK is not set CONFIG_RING_BUFFER_BENCHMARK=m # CONFIG_TRACE_EVAL_MAP_FILE is not set -# CONFIG_FTRACE_RECORD_RECURSION is not set # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_RING_BUFFER_STARTUP_TEST is not set # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
Could you please verify that powertop does not need any of these?
On 19 Mar 2022, at 21:11, Peter Müller peter.mueller@ipfire.org wrote:
grsecurity recommends to disable this on non-development systems for reducing attack surface. Since we never debug the kernel that deeply on a productive system, it makes sense to follow this recommendation.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 13 ++----------- config/kernel/kernel.config.armv6l-ipfire | 13 ++----------- config/kernel/kernel.config.riscv64-ipfire | 13 ++----------- config/kernel/kernel.config.x86_64-ipfire | 17 ++--------------- 4 files changed, 8 insertions(+), 48 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 0fcbed4a2..5bd15cc48 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -126,8 +126,6 @@ CONFIG_TREE_RCU=y # CONFIG_RCU_EXPERT is not set CONFIG_SRCU=y CONFIG_TREE_SRCU=y -CONFIG_TASKS_RCU_GENERIC=y -CONFIG_TASKS_RUDE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -7410,7 +7408,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set -# CONFIG_PSTORE_FTRACE is not set # CONFIG_PSTORE_RAM is not set # CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set @@ -8166,12 +8163,8 @@ CONFIG_GENERIC_TRACER=y CONFIG_TRACING_SUPPORT=y CONFIG_FTRACE=y # CONFIG_BOOTTIME_TRACING is not set -CONFIG_FUNCTION_TRACER=y -CONFIG_FUNCTION_GRAPH_TRACER=y -CONFIG_DYNAMIC_FTRACE=y -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y -CONFIG_FUNCTION_PROFILER=y -CONFIG_STACK_TRACER=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set # CONFIG_IRQSOFF_TRACER is not set CONFIG_SCHED_TRACER=y # CONFIG_HWLAT_TRACER is not set @@ -8186,7 +8179,6 @@ CONFIG_BRANCH_PROFILE_NONE=y CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y -CONFIG_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y # CONFIG_SYNTH_EVENTS is not set # CONFIG_HIST_TRIGGERS is not set @@ -8194,7 +8186,6 @@ CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y # CONFIG_TRACEPOINT_BENCHMARK is not set CONFIG_RING_BUFFER_BENCHMARK=m # CONFIG_TRACE_EVAL_MAP_FILE is not set -# CONFIG_FTRACE_RECORD_RECURSION is not set # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_RING_BUFFER_STARTUP_TEST is not set # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 468c74112..06010f893 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -133,8 +133,6 @@ CONFIG_TREE_RCU=y # CONFIG_RCU_EXPERT is not set CONFIG_SRCU=y CONFIG_TREE_SRCU=y -CONFIG_TASKS_RCU_GENERIC=y -CONFIG_TASKS_RUDE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -7414,7 +7412,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set -# CONFIG_PSTORE_FTRACE is not set # CONFIG_PSTORE_RAM is not set # CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set @@ -8132,12 +8129,8 @@ CONFIG_GENERIC_TRACER=y CONFIG_TRACING_SUPPORT=y CONFIG_FTRACE=y # CONFIG_BOOTTIME_TRACING is not set -CONFIG_FUNCTION_TRACER=y -CONFIG_FUNCTION_GRAPH_TRACER=y -CONFIG_DYNAMIC_FTRACE=y -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y -CONFIG_FUNCTION_PROFILER=y -CONFIG_STACK_TRACER=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set # CONFIG_IRQSOFF_TRACER is not set CONFIG_SCHED_TRACER=y # CONFIG_HWLAT_TRACER is not set @@ -8153,7 +8146,6 @@ CONFIG_BRANCH_PROFILE_NONE=y CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y -CONFIG_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y # CONFIG_SYNTH_EVENTS is not set # CONFIG_HIST_TRIGGERS is not set @@ -8161,7 +8153,6 @@ CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y # CONFIG_TRACEPOINT_BENCHMARK is not set CONFIG_RING_BUFFER_BENCHMARK=m # CONFIG_TRACE_EVAL_MAP_FILE is not set -# CONFIG_FTRACE_RECORD_RECURSION is not set # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_RING_BUFFER_STARTUP_TEST is not set # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index de975e3f0..6b0aa466f 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -119,8 +119,6 @@ CONFIG_TREE_RCU=y # CONFIG_RCU_EXPERT is not set CONFIG_SRCU=y CONFIG_TREE_SRCU=y -CONFIG_TASKS_RCU_GENERIC=y -CONFIG_TASKS_RUDE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -6047,7 +6045,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set -# CONFIG_PSTORE_FTRACE is not set # CONFIG_PSTORE_RAM is not set # CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set @@ -6754,12 +6751,8 @@ CONFIG_GENERIC_TRACER=y CONFIG_TRACING_SUPPORT=y CONFIG_FTRACE=y # CONFIG_BOOTTIME_TRACING is not set -CONFIG_FUNCTION_TRACER=y -CONFIG_FUNCTION_GRAPH_TRACER=y -CONFIG_DYNAMIC_FTRACE=y -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y -CONFIG_FUNCTION_PROFILER=y -CONFIG_STACK_TRACER=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set # CONFIG_IRQSOFF_TRACER is not set CONFIG_SCHED_TRACER=y # CONFIG_HWLAT_TRACER is not set @@ -6774,14 +6767,12 @@ CONFIG_BRANCH_PROFILE_NONE=y CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y -CONFIG_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y # CONFIG_SYNTH_EVENTS is not set # CONFIG_TRACE_EVENT_INJECT is not set # CONFIG_TRACEPOINT_BENCHMARK is not set CONFIG_RING_BUFFER_BENCHMARK=m # CONFIG_TRACE_EVAL_MAP_FILE is not set -# CONFIG_FTRACE_RECORD_RECURSION is not set # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_RING_BUFFER_STARTUP_TEST is not set # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 42275d26f..eee5e4a55 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -146,8 +146,6 @@ CONFIG_TREE_RCU=y # CONFIG_RCU_EXPERT is not set CONFIG_SRCU=y CONFIG_TREE_SRCU=y -CONFIG_TASKS_RCU_GENERIC=y -CONFIG_TASKS_RUDE_RCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem @@ -476,7 +474,6 @@ CONFIG_LEGACY_VSYSCALL_NONE=y # CONFIG_CMDLINE_BOOL is not set # CONFIG_MODIFY_LDT_SYSCALL is not set CONFIG_HAVE_LIVEPATCH=y -# CONFIG_LIVEPATCH is not set # end of Processor type and features
CONFIG_ARCH_HAS_ADD_PAGES=y @@ -6823,7 +6820,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set -# CONFIG_PSTORE_FTRACE is not set # CONFIG_PSTORE_RAM is not set # CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set @@ -7604,14 +7600,8 @@ CONFIG_GENERIC_TRACER=y CONFIG_TRACING_SUPPORT=y CONFIG_FTRACE=y # CONFIG_BOOTTIME_TRACING is not set -CONFIG_FUNCTION_TRACER=y -CONFIG_FUNCTION_GRAPH_TRACER=y -CONFIG_DYNAMIC_FTRACE=y -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y -CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y -CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y -CONFIG_FUNCTION_PROFILER=y -CONFIG_STACK_TRACER=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set # CONFIG_IRQSOFF_TRACER is not set CONFIG_SCHED_TRACER=y # CONFIG_HWLAT_TRACER is not set @@ -7627,15 +7617,12 @@ CONFIG_BRANCH_PROFILE_NONE=y CONFIG_UPROBE_EVENTS=y CONFIG_DYNAMIC_EVENTS=y CONFIG_PROBE_EVENTS=y -CONFIG_FTRACE_MCOUNT_RECORD=y -CONFIG_FTRACE_MCOUNT_USE_CC=y # CONFIG_SYNTH_EVENTS is not set # CONFIG_HIST_TRIGGERS is not set # CONFIG_TRACE_EVENT_INJECT is not set # CONFIG_TRACEPOINT_BENCHMARK is not set CONFIG_RING_BUFFER_BENCHMARK=m # CONFIG_TRACE_EVAL_MAP_FILE is not set -# CONFIG_FTRACE_RECORD_RECURSION is not set # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_RING_BUFFER_STARTUP_TEST is not set
# CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
2.34.1
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/common/x86_64/linux | 33 ++++++++++++++++------------ 1 file changed, 19 insertions(+), 14 deletions(-)
diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index a01af1fc4..85d8ffc66 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -6408,6 +6408,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/ALX #lib/modules/KVER-ipfire/build/include/config/AMD8111_ETH #lib/modules/KVER-ipfire/build/include/config/AMD_IOMMU +#lib/modules/KVER-ipfire/build/include/config/AMD_IOMMU_V2 #lib/modules/KVER-ipfire/build/include/config/AMD_NB #lib/modules/KVER-ipfire/build/include/config/AMD_PHY #lib/modules/KVER-ipfire/build/include/config/AMD_PMC @@ -6680,7 +6681,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INITRD #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INTEGRITY #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INTEGRITY_T10 -#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_IO_TRACE #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_LOOP #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_LOOP_MIN_COUNT #lib/modules/KVER-ipfire/build/include/config/BLK_DEV_MD @@ -6763,6 +6763,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/BTRFS_FS_POSIX_ACL #lib/modules/KVER-ipfire/build/include/config/BTT #lib/modules/KVER-ipfire/build/include/config/BUG +#lib/modules/KVER-ipfire/build/include/config/BUG_ON_DATA_CORRUPTION #lib/modules/KVER-ipfire/build/include/config/BUILDTIME_TABLE_SORT #lib/modules/KVER-ipfire/build/include/config/BUILD_SALT #lib/modules/KVER-ipfire/build/include/config/CACHEFILES @@ -6786,6 +6787,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/CC_HAS_NO_PROFILE_FN_ATTR #lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANCOV_TRACE_PC #lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANE_STACKPROTECTOR +#lib/modules/KVER-ipfire/build/include/config/CC_HAS_UBSAN_BOUNDS #lib/modules/KVER-ipfire/build/include/config/CC_HAS_WORKING_NOSANITIZE_ADDRESS #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ZERO_CALL_USED_REGS #lib/modules/KVER-ipfire/build/include/config/CC_IS_GCC @@ -7086,6 +7088,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/DEBUG_FS #lib/modules/KVER-ipfire/build/include/config/DEBUG_FS_ALLOW_ALL #lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL +#lib/modules/KVER-ipfire/build/include/config/DEBUG_LIST #lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC #lib/modules/KVER-ipfire/build/include/config/DEBUG_WX #lib/modules/KVER-ipfire/build/include/config/DECOMPRESS_BZIP2 @@ -7417,10 +7420,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG_CORE #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_EVENTS -#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE -#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_ARGS -#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_DIRECT_CALLS -#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_REGS #lib/modules/KVER-ipfire/build/include/config/DYNAMIC_MEMORY_LAYOUT #lib/modules/KVER-ipfire/build/include/config/E100 #lib/modules/KVER-ipfire/build/include/config/E1000 @@ -7589,14 +7588,9 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/FS_MBCACHE #lib/modules/KVER-ipfire/build/include/config/FS_POSIX_ACL #lib/modules/KVER-ipfire/build/include/config/FTRACE -#lib/modules/KVER-ipfire/build/include/config/FTRACE_MCOUNT_RECORD -#lib/modules/KVER-ipfire/build/include/config/FTRACE_MCOUNT_USE_CC #lib/modules/KVER-ipfire/build/include/config/FTRACE_SYSCALLS #lib/modules/KVER-ipfire/build/include/config/FUJITSU_ES #lib/modules/KVER-ipfire/build/include/config/FUJITSU_LAPTOP -#lib/modules/KVER-ipfire/build/include/config/FUNCTION_GRAPH_TRACER -#lib/modules/KVER-ipfire/build/include/config/FUNCTION_PROFILER -#lib/modules/KVER-ipfire/build/include/config/FUNCTION_TRACER #lib/modules/KVER-ipfire/build/include/config/FUSE_FS #lib/modules/KVER-ipfire/build/include/config/FUSION #lib/modules/KVER-ipfire/build/include/config/FUSION_CTL @@ -8070,6 +8064,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/INTEL_IOATDMA #lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU #lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_FLOPPY_WA +#lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_SVM #lib/modules/KVER-ipfire/build/include/config/INTEL_IPS #lib/modules/KVER-ipfire/build/include/config/INTEL_ISH_HID #lib/modules/KVER-ipfire/build/include/config/INTEL_LDMA @@ -8090,6 +8085,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/IOMMU_IOVA #lib/modules/KVER-ipfire/build/include/config/IOMMU_IO_PGTABLE #lib/modules/KVER-ipfire/build/include/config/IOMMU_SUPPORT +#lib/modules/KVER-ipfire/build/include/config/IOMMU_SVA_LIB #lib/modules/KVER-ipfire/build/include/config/IONIC #lib/modules/KVER-ipfire/build/include/config/IOSCHED_BFQ #lib/modules/KVER-ipfire/build/include/config/IOSF_MBI @@ -8345,7 +8341,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/LAN743X #lib/modules/KVER-ipfire/build/include/config/LCD_CLASS_DEVICE #lib/modules/KVER-ipfire/build/include/config/LCD_PLATFORM -#lib/modules/KVER-ipfire/build/include/config/LDISC_AUTOLOAD #lib/modules/KVER-ipfire/build/include/config/LDM_PARTITION #lib/modules/KVER-ipfire/build/include/config/LD_IS_BFD #lib/modules/KVER-ipfire/build/include/config/LD_ORPHAN_WARN @@ -8414,6 +8409,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/LOCKD_V4 #lib/modules/KVER-ipfire/build/include/config/LOCKUP_DETECTOR #lib/modules/KVER-ipfire/build/include/config/LOCK_DEBUGGING_SUPPORT +#lib/modules/KVER-ipfire/build/include/config/LOCK_DOWN_KERNEL_FORCE_INTEGRITY #lib/modules/KVER-ipfire/build/include/config/LOCK_EVENT_COUNTS #lib/modules/KVER-ipfire/build/include/config/LOCK_SPIN_ON_OWNER #lib/modules/KVER-ipfire/build/include/config/LOGO @@ -9867,6 +9863,11 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/SECURITY #lib/modules/KVER-ipfire/build/include/config/SECURITYFS #lib/modules/KVER-ipfire/build/include/config/SECURITY_DMESG_RESTRICT +#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOADPIN +#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOADPIN_ENFORCE +#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOCKDOWN_LSM +#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOCKDOWN_LSM_EARLY +#lib/modules/KVER-ipfire/build/include/config/SECURITY_SAFESETID #lib/modules/KVER-ipfire/build/include/config/SELECT_MEMORY_MODEL #lib/modules/KVER-ipfire/build/include/config/SENSORS_ABITUGURU #lib/modules/KVER-ipfire/build/include/config/SENSORS_ABITUGURU3 @@ -10345,7 +10346,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/STACKPROTECTOR_STRONG #lib/modules/KVER-ipfire/build/include/config/STACKTRACE #lib/modules/KVER-ipfire/build/include/config/STACKTRACE_SUPPORT -#lib/modules/KVER-ipfire/build/include/config/STACK_TRACER #lib/modules/KVER-ipfire/build/include/config/STACK_VALIDATION #lib/modules/KVER-ipfire/build/include/config/STAGING #lib/modules/KVER-ipfire/build/include/config/STANDALONE @@ -10395,8 +10395,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/SYS_HYPERVISOR #lib/modules/KVER-ipfire/build/include/config/TAP #lib/modules/KVER-ipfire/build/include/config/TASKSTATS -#lib/modules/KVER-ipfire/build/include/config/TASKS_RCU_GENERIC -#lib/modules/KVER-ipfire/build/include/config/TASKS_RUDE_RCU #lib/modules/KVER-ipfire/build/include/config/TASK_DELAY_ACCT #lib/modules/KVER-ipfire/build/include/config/TASK_IO_ACCOUNTING #lib/modules/KVER-ipfire/build/include/config/TASK_XACCT @@ -10502,6 +10500,13 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/TYPEC_TCPM #lib/modules/KVER-ipfire/build/include/config/TYPEC_UCSI #lib/modules/KVER-ipfire/build/include/config/TYPHOON +#lib/modules/KVER-ipfire/build/include/config/UBSAN +#lib/modules/KVER-ipfire/build/include/config/UBSAN_BOOL +#lib/modules/KVER-ipfire/build/include/config/UBSAN_BOUNDS +#lib/modules/KVER-ipfire/build/include/config/UBSAN_ENUM +#lib/modules/KVER-ipfire/build/include/config/UBSAN_ONLY_BOUNDS +#lib/modules/KVER-ipfire/build/include/config/UBSAN_SANITIZE_ALL +#lib/modules/KVER-ipfire/build/include/config/UBSAN_SHIFT #lib/modules/KVER-ipfire/build/include/config/UCS2_STRING #lib/modules/KVER-ipfire/build/include/config/UCSI_ACPI #lib/modules/KVER-ipfire/build/include/config/UDF_FS
Hello,
I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
-Michael
On 19 Mar 2022, at 21:08, Peter Müller peter.mueller@ipfire.org wrote:
This patchset improves hardening of our Linux kernel configurations for all architectures. Most importantly, it features the activation of the "Linux Security Module", also known as "kernel lockdown" (a phrase coined before the pandemic), or LSM for short.
Being set to "integrity" mode for a start, LSM prevents the kernel from being modified by various mechanisms, of which we have some already covered. However, it comes as a more holistic approach, which is why enabling it is desirable for our userbase.
Most of this patchset is based on recommendations by the "kconfig-hardened-check" tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration taken directly from KSPP and grsecurity.
Being unable to cross-compile IPFire for non-x86_64-architectures on my own, and my VM on the Mustang currently being offline, this patchset does not come with aligned kernel rootfiles for other architectures than x86_64. I am sorry for any inconvenience and extra workload caused by this.
Also, for the sake of completeness, the effect of LSM on virtualisation has not been tested due to time constraints, and a lack of oversight _which_ virtualisation features we officially support and which we don't. In doubt, however, I believe the security benefit gained from LSM outweighs a partial functional loss of virtualisation - but that is a highly biased opinion. :-)
Peter Müller (11): Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Kernel: Disable support for tracing block I/O actions Kernel: Pin loading kernel files to one filesystem Kernel: Enable undefined behaviour sanity checker Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Kernel: Enable LSM support and set security level to "integrity" Kernel: Trigger BUG if data corruption is detected Kernel: Do not automatically load TTY line disciplines, only if necessary Kernel: Enable SVA support for both Intel and AMD CPUs Kernel: Disable function and stack tracers Kernel: Update rootfile for x86_64
config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- config/rootfiles/common/x86_64/linux | 33 +++++++------ 5 files changed, 131 insertions(+), 100 deletions(-)
-- 2.34.1
Hello Michael,
thanks for your e-mail.
This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter the running kernel, hence it is no longer available if LSM runs in "integrity" mode.
On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires /dev/ports access is no longer available. On my testing hardware, that does not make a difference, but I presume it will on other hardware with more or different sensors.
sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript to reflect that.
Thanks, and best regards, Peter Müller
Hello,
I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
-Michael
On 19 Mar 2022, at 21:08, Peter Müller peter.mueller@ipfire.org wrote:
This patchset improves hardening of our Linux kernel configurations for all architectures. Most importantly, it features the activation of the "Linux Security Module", also known as "kernel lockdown" (a phrase coined before the pandemic), or LSM for short.
Being set to "integrity" mode for a start, LSM prevents the kernel from being modified by various mechanisms, of which we have some already covered. However, it comes as a more holistic approach, which is why enabling it is desirable for our userbase.
Most of this patchset is based on recommendations by the "kconfig-hardened-check" tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration taken directly from KSPP and grsecurity.
Being unable to cross-compile IPFire for non-x86_64-architectures on my own, and my VM on the Mustang currently being offline, this patchset does not come with aligned kernel rootfiles for other architectures than x86_64. I am sorry for any inconvenience and extra workload caused by this.
Also, for the sake of completeness, the effect of LSM on virtualisation has not been tested due to time constraints, and a lack of oversight _which_ virtualisation features we officially support and which we don't. In doubt, however, I believe the security benefit gained from LSM outweighs a partial functional loss of virtualisation - but that is a highly biased opinion. :-)
Peter Müller (11): Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Kernel: Disable support for tracing block I/O actions Kernel: Pin loading kernel files to one filesystem Kernel: Enable undefined behaviour sanity checker Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Kernel: Enable LSM support and set security level to "integrity" Kernel: Trigger BUG if data corruption is detected Kernel: Do not automatically load TTY line disciplines, only if necessary Kernel: Enable SVA support for both Intel and AMD CPUs Kernel: Disable function and stack tracers Kernel: Update rootfile for x86_64
config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- config/rootfiles/common/x86_64/linux | 33 +++++++------ 5 files changed, 131 insertions(+), 100 deletions(-)
-- 2.34.1
Could you please check with Arne how severe this is for the sensors?
On 13 Apr 2022, at 10:18, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your e-mail.
This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter the running kernel, hence it is no longer available if LSM runs in "integrity" mode.
On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires /dev/ports access is no longer available. On my testing hardware, that does not make a difference, but I presume it will on other hardware with more or different sensors.
sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript to reflect that.
Thanks, and best regards, Peter Müller
Hello,
I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
-Michael
On 19 Mar 2022, at 21:08, Peter Müller peter.mueller@ipfire.org wrote:
This patchset improves hardening of our Linux kernel configurations for all architectures. Most importantly, it features the activation of the "Linux Security Module", also known as "kernel lockdown" (a phrase coined before the pandemic), or LSM for short.
Being set to "integrity" mode for a start, LSM prevents the kernel from being modified by various mechanisms, of which we have some already covered. However, it comes as a more holistic approach, which is why enabling it is desirable for our userbase.
Most of this patchset is based on recommendations by the "kconfig-hardened-check" tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration taken directly from KSPP and grsecurity.
Being unable to cross-compile IPFire for non-x86_64-architectures on my own, and my VM on the Mustang currently being offline, this patchset does not come with aligned kernel rootfiles for other architectures than x86_64. I am sorry for any inconvenience and extra workload caused by this.
Also, for the sake of completeness, the effect of LSM on virtualisation has not been tested due to time constraints, and a lack of oversight _which_ virtualisation features we officially support and which we don't. In doubt, however, I believe the security benefit gained from LSM outweighs a partial functional loss of virtualisation - but that is a highly biased opinion. :-)
Peter Müller (11): Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Kernel: Disable support for tracing block I/O actions Kernel: Pin loading kernel files to one filesystem Kernel: Enable undefined behaviour sanity checker Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Kernel: Enable LSM support and set security level to "integrity" Kernel: Trigger BUG if data corruption is detected Kernel: Do not automatically load TTY line disciplines, only if necessary Kernel: Enable SVA support for both Intel and AMD CPUs Kernel: Disable function and stack tracers Kernel: Update rootfile for x86_64
config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- config/rootfiles/common/x86_64/linux | 33 +++++++------ 5 files changed, 131 insertions(+), 100 deletions(-)
-- 2.34.1
For the records: I spoke to Arne regarding this on the phone the other day. He confirmed to me that this is by no means a severe issue from his point of view, and will check whether firmware flashing continues to work with the hardened kernel.
Could you please check with Arne how severe this is for the sensors?
On 13 Apr 2022, at 10:18, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your e-mail.
This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter the running kernel, hence it is no longer available if LSM runs in "integrity" mode.
On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires /dev/ports access is no longer available. On my testing hardware, that does not make a difference, but I presume it will on other hardware with more or different sensors.
sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript to reflect that.
Thanks, and best regards, Peter Müller
Hello,
I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
-Michael
On 19 Mar 2022, at 21:08, Peter Müller peter.mueller@ipfire.org wrote:
This patchset improves hardening of our Linux kernel configurations for all architectures. Most importantly, it features the activation of the "Linux Security Module", also known as "kernel lockdown" (a phrase coined before the pandemic), or LSM for short.
Being set to "integrity" mode for a start, LSM prevents the kernel from being modified by various mechanisms, of which we have some already covered. However, it comes as a more holistic approach, which is why enabling it is desirable for our userbase.
Most of this patchset is based on recommendations by the "kconfig-hardened-check" tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration taken directly from KSPP and grsecurity.
Being unable to cross-compile IPFire for non-x86_64-architectures on my own, and my VM on the Mustang currently being offline, this patchset does not come with aligned kernel rootfiles for other architectures than x86_64. I am sorry for any inconvenience and extra workload caused by this.
Also, for the sake of completeness, the effect of LSM on virtualisation has not been tested due to time constraints, and a lack of oversight _which_ virtualisation features we officially support and which we don't. In doubt, however, I believe the security benefit gained from LSM outweighs a partial functional loss of virtualisation - but that is a highly biased opinion. :-)
Peter Müller (11): Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Kernel: Disable support for tracing block I/O actions Kernel: Pin loading kernel files to one filesystem Kernel: Enable undefined behaviour sanity checker Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Kernel: Enable LSM support and set security level to "integrity" Kernel: Trigger BUG if data corruption is detected Kernel: Do not automatically load TTY line disciplines, only if necessary Kernel: Enable SVA support for both Intel and AMD CPUs Kernel: Disable function and stack tracers Kernel: Update rootfile for x86_64
config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- config/rootfiles/common/x86_64/linux | 33 +++++++------ 5 files changed, 131 insertions(+), 100 deletions(-)
-- 2.34.1
Hello Peter,
Thank you. So for the sensors, we can keep LSM on. Cool.
-Michael
On 14 Apr 2022, at 07:16, Peter Müller peter.mueller@ipfire.org wrote:
For the records: I spoke to Arne regarding this on the phone the other day. He confirmed to me that this is by no means a severe issue from his point of view, and will check whether firmware flashing continues to work with the hardened kernel.
Could you please check with Arne how severe this is for the sensors?
On 13 Apr 2022, at 10:18, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your e-mail.
This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter the running kernel, hence it is no longer available if LSM runs in "integrity" mode.
On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires /dev/ports access is no longer available. On my testing hardware, that does not make a difference, but I presume it will on other hardware with more or different sensors.
sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript to reflect that.
Thanks, and best regards, Peter Müller
Hello,
I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
-Michael
On 19 Mar 2022, at 21:08, Peter Müller peter.mueller@ipfire.org wrote:
This patchset improves hardening of our Linux kernel configurations for all architectures. Most importantly, it features the activation of the "Linux Security Module", also known as "kernel lockdown" (a phrase coined before the pandemic), or LSM for short.
Being set to "integrity" mode for a start, LSM prevents the kernel from being modified by various mechanisms, of which we have some already covered. However, it comes as a more holistic approach, which is why enabling it is desirable for our userbase.
Most of this patchset is based on recommendations by the "kconfig-hardened-check" tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration taken directly from KSPP and grsecurity.
Being unable to cross-compile IPFire for non-x86_64-architectures on my own, and my VM on the Mustang currently being offline, this patchset does not come with aligned kernel rootfiles for other architectures than x86_64. I am sorry for any inconvenience and extra workload caused by this.
Also, for the sake of completeness, the effect of LSM on virtualisation has not been tested due to time constraints, and a lack of oversight _which_ virtualisation features we officially support and which we don't. In doubt, however, I believe the security benefit gained from LSM outweighs a partial functional loss of virtualisation - but that is a highly biased opinion. :-)
Peter Müller (11): Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Kernel: Disable support for tracing block I/O actions Kernel: Pin loading kernel files to one filesystem Kernel: Enable undefined behaviour sanity checker Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Kernel: Enable LSM support and set security level to "integrity" Kernel: Trigger BUG if data corruption is detected Kernel: Do not automatically load TTY line disciplines, only if necessary Kernel: Enable SVA support for both Intel and AMD CPUs Kernel: Disable function and stack tracers Kernel: Update rootfile for x86_64
config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- config/rootfiles/common/x86_64/linux | 33 +++++++------ 5 files changed, 131 insertions(+), 100 deletions(-)
-- 2.34.1
Hello Michael,
aaaaand here is the disappointment: As already apprehended, firmware flashing does no longer work with the hardened kernel, as Arne told me on the phone today. :-/
(And since all these APUs run on x86_64 as well, we cannot even enable LSM on that kernel, like we did with other hardening features that were not available or usable on certain architectures.
Another option would leaving LSM enabled, but without enforcing the "integrity" level. It can be enabled via a trigger to some /proc location on runtime - but attackers can tamper with that, it kind of renders the whole idea ad absurdum, and I would really consider this as a last resort. Besides, users would have to disable it every time they want to flash a firmware.)
Oh, goddammit. Why can't _one_ thing in life just _work_?!
Thanks, and best regards, Peter Müller
Hello Peter,
Thank you. So for the sensors, we can keep LSM on. Cool.
-Michael
On 14 Apr 2022, at 07:16, Peter Müller peter.mueller@ipfire.org wrote:
For the records: I spoke to Arne regarding this on the phone the other day. He confirmed to me that this is by no means a severe issue from his point of view, and will check whether firmware flashing continues to work with the hardened kernel.
Could you please check with Arne how severe this is for the sensors?
On 13 Apr 2022, at 10:18, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your e-mail.
This is caused by the kernel lockdown patch, since /dev/ports apparently can be used to alter the running kernel, hence it is no longer available if LSM runs in "integrity" mode.
On my testing machine, sensors and sensors-detect continue to work, but any sensor that requires /dev/ports access is no longer available. On my testing hardware, that does not make a difference, but I presume it will on other hardware with more or different sensors.
sensors-detect does not implement any option to probe non-/dev/ports-sensors only, so I guess there is nothing we can do besides a "> /dev/null 2>&1". I will change the collectd initscript to reflect that.
Thanks, and best regards, Peter Müller
Hello,
I don’t know exactly which patch is responsible for this, but /dev/port is no longer accessible by sensors-detect.
This leads to ugly messages when the system is booting up for the first time. Please see the attached screenshot.
At least the message needs to be silenced, but you should investigate whether sensors will still work and is able to access readings for its hardware sensors.
-Michael
On 19 Mar 2022, at 21:08, Peter Müller peter.mueller@ipfire.org wrote:
This patchset improves hardening of our Linux kernel configurations for all architectures. Most importantly, it features the activation of the "Linux Security Module", also known as "kernel lockdown" (a phrase coined before the pandemic), or LSM for short.
Being set to "integrity" mode for a start, LSM prevents the kernel from being modified by various mechanisms, of which we have some already covered. However, it comes as a more holistic approach, which is why enabling it is desirable for our userbase.
Most of this patchset is based on recommendations by the "kconfig-hardened-check" tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration taken directly from KSPP and grsecurity.
Being unable to cross-compile IPFire for non-x86_64-architectures on my own, and my VM on the Mustang currently being offline, this patchset does not come with aligned kernel rootfiles for other architectures than x86_64. I am sorry for any inconvenience and extra workload caused by this.
Also, for the sake of completeness, the effect of LSM on virtualisation has not been tested due to time constraints, and a lack of oversight _which_ virtualisation features we officially support and which we don't. In doubt, however, I believe the security benefit gained from LSM outweighs a partial functional loss of virtualisation - but that is a highly biased opinion. :-)
Peter Müller (11): Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Kernel: Disable support for tracing block I/O actions Kernel: Pin loading kernel files to one filesystem Kernel: Enable undefined behaviour sanity checker Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Kernel: Enable LSM support and set security level to "integrity" Kernel: Trigger BUG if data corruption is detected Kernel: Do not automatically load TTY line disciplines, only if necessary Kernel: Enable SVA support for both Intel and AMD CPUs Kernel: Disable function and stack tracers Kernel: Update rootfile for x86_64
config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- config/rootfiles/common/x86_64/linux | 33 +++++++------ 5 files changed, 131 insertions(+), 100 deletions(-)
-- 2.34.1
-
alf@i100.no -
Arne Fitzenreiter -
Michael Tremer -
Peter Müller