User:Pietinger/Tutorials/Kernel Hardening with KSPP

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.

Tutorial: Kernel Hardening with KSPP

This tutorial shows an easy way to harden your kernel. Only our Gentoo default sources will be used.

Note
If you think you dont need it because you have Hardened-Sources you are wrong. Hardened-Sources has no hardened kernel; you must harden your kernel by youself !

Link to KSPP

In every case you need this: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Print the whole page or copy it into a text-file; you will need it later.

In this video from the "Linux Security Summit 2021" Kees Cook (who also updates this KSPP Page) explains why it is so important to harden your kernel and also explains the progress made from Linux version 5.3 until 5.15: https://www.youtube.com/watch?v=-Binxid8t_8

Transfer KSPP settings into your kernel

Of course you can set all these settings manually into your kernel. This you have to do if you dont use Gentoo-Sources. With Gentoo-Sources there is an easy way ... Maybe you have have already seen this kernel setting:

KERNEL
Gentoo Linux  --->
    [ ] Kernel Self Protection Project

After enabling this option maybe you will see this:

KERNEL
--- Kernel Self Protection Project
[ ]   Enable Kernel Self Protection Project Recommendations
[ ]     X86_64 KSPP Settings

Maybe you dont have these two options. Why ?

If you read all recommended settings in KSPP Homepage you will see there are many kernel options which must be disabled. Disabling a kernel option with a Kconfig file is not possible. The only way to proof if something is disbled is a check in Kconfig with "... !options". ! means: NOT. Now look into /usr/src/linux/distro/Kconfig. You will see in the second half of this file a line like this:

FILE /usr/src/linux/distro/Kconfig
depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS && !IOMMU_DEFAULT_DMA_LAZY && !IOMMU_DEFAULT_PASSTHROUGH && IOMMU_DEFAULT_DMA_STRICT

If one of these options are enabled this line cause a hiding of this option. For example if you have enabled Hibernation you will not see the kernel option "Enable Kernel Self Protection Project Recommendations". This leads to my recommendation for a ...

Course of action

1. First of all disable all kernel options with the description in the link you have now. Yes, also "DEVMEM". If you search for "DEVKMEM" you will not find it if you have kernel 5.15 (or newer); kernel developer have revoked it. Do not disable IA32 if you have a Multilib-System ! Do not disable Module-Support if you have kernel modules enabled with {M}. You can disable Module-Support only if you have a monolithic kernel.

2. Now you are able to enable MANY options with these two options in our Gentoo section. Cancel all these many options (best with content of usr/src/linux/distro/Kconfig; but you can use also <HELP>) on your print output (or in your text file).

3. Check if there are some options you dont have enabled automatically. At the time of writing this is only:

KERNEL
General setup  --->
    [*] Compile the kernel with warnings as errors

[*] Mitigations for speculative execution vulnerabilities  --->
    [*]   Remove the kernel mapping in user mode
    [*]   Avoid speculative indirect branches in kernel
    [*]     Enable return-thunks
    [*]   Enable IBRS on kernel entry
    [*]   Mitigate Straight-Line-Speculation
Warning
Since 2022-10-15 we have new recommendations in KSPP. One of them is enabling LOCKDOWN. Do this only if you have signed your Kernel modules (see here: Signed_kernel_module_support ), OR you have a monolithic kernel (see more here: Kernel_Modules#Going_completely_.22module-less.22 ) !

4. Dont forget some settings in SYSCTL. You can copy it from KSPP directly in (just add them at the end):

root #nano -w /etc/sysctl.conf

5. In KSPP there also some kernel command line settings, like e.g.: "nosmt" which would disable SMT (Intel call it "Hyperthreading"). In my point of view this is only necessary if it is a server and you have virtual machines. A desktop doesnt need it. But it is your decision !


Note
This is my third try for creating a wiki article. Maybe some formatting is wrong. Because it is a tutorial and not a reference guide I ignored the standard of not writing in first or second person. Yes, my english is very poor.