User:Pietinger/Tutorials/Kernel Hardening with KSPP

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.

Tutorial: Kernel Hardening with KSPP

This tutorial shows an easy way to harden your kernel. Only our Gentoo default sources will be used.

Note
If you think you dont need it because you have Hardened-Sources you are wrong. Hardened-Sources has no hardened kernel; you must harden your kernel by youself !

Link to KSPP

In every case you need this: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Print the whole page or copy it into a text-file; you will need it later.

In this video from the "Linux Security Summit 2021" Kees Cook (who also updates this KSPP Page) explains why it is so important to harden your kernel and also explains the progress made from Linux version 5.3 until 5.15: https://www.youtube.com/watch?v=-Binxid8t_8

Transfer KSPP settings into your kernel

Of course you can set all these settings manually into your kernel. This you have to do if you dont use Gentoo-Sources. With Gentoo-Sources there is an easy way ... Maybe you have have already seen this kernel setting:

KERNEL
Gentoo Linux  --->
    [ ] Kernel Self Protection Project

After enabling this option maybe you will see this:

KERNEL
--- Kernel Self Protection Project
[ ]   Enable Kernel Self Protection Project Recommendations
[ ]     X86_64 KSPP Settings

Maybe you dont have these two options. Why ?

If you read all recommended settings in KSPP Homepage you will see there are many kernel options which must be disabled. Disabling a kernel option with a Kconfig file is not possible. The only way to proof if something is disbled is a check in Kconfig with "... !options". ! means: NOT. Now look into /usr/src/linux/distro/Kconfig. You will see in the second half of this file a line like this:

FILE /usr/src/linux/distro/Kconfig
depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS && !IOMMU_DEFAULT_DMA_LAZY && !IOMMU_DEFAULT_PASSTHROUGH && IOMMU_DEFAULT_DMA_STRICT

If one of these options are enabled this line cause a hiding of this option. For example if you have enabled Hibernation you will not see the kernel option "Enable Kernel Self Protection Project Recommendations". This leads to my recommendation for a ...

Course of action

1. First of all disable all kernel options with the description in the link you have now. Yes, also "DEVMEM". If you search for "DEVKMEM" you will not find it if you have kernel 5.15 (or newer); kernel developer have revoked it. Do not disable IA32 if you have a Multilib-System ! Do not disable Module-Support if you have kernel modules enabled with {M}. You can disable Module-Support only if you have a monolithic kernel.

2. If you have problems to find all necessary options do all settings described in next chapter.

3. Now you are able to enable MANY options with these two options in our Gentoo section. Cancel all these many options (best with content of usr/src/linux/distro/Kconfig; but you can use also <HELP>) on your print output (or in your text file).

4. Check if there are some options you dont have enabled automatically. At the time of writing this is only:

KERNEL
[*] Mitigations for speculative execution vulnerabilities  --->
    [*]   Mitigate Straight-Line-Speculation
Warning
Since 2022-11-01 we have new recommendations in KSPP. One of them is enabling LOCKDOWN. Do this only if you have signed your Kernel modules (see here: Signed_kernel_module_support ), OR you have a monolithic kernel (see more here: Kernel_Modules#Going_completely_.22module-less.22 ) !

5. Dont forget some settings in SYSCTL. You can copy it from KSPP directly in (just add them at the end):

root #nano -w /etc/sysctl.conf

6. In KSPP there also some kernel command line settings, like e.g.: "nosmt" which would disable SMT (Intel call it "Hyperthreading"). In my point of view this is only necessary if it is a server and you have virtual machines. A desktop doesnt need it. But it is your decision !

Minimum kernel configuration to get both KSPP options

... for a X86_64 system. You must enable "expert users" to be able to reach all necessary options. After enabling "expert users" check if "Framebuffer Console support" still is set. If not enable it again. Now you have to DISABLE and ENABLE all these:

Kernel 5.15

KERNEL
General setup  --->
    [*] Configure standard kernel features (expert users)  --->

Processor type and features  --->
    [ ] /dev/cpu/*/msr - Model-specific register support
    [ ] kexec system call
    [ ] Enable the LDT (local descriptor table)

Power management and ACPI options  --->
    [ ] Hibernation (aka 'suspend to disk')

General architecture-dependent options  --->
    [*] GCC plugins  --->

Memory Management options  --->
    [ ] Disable heap randomization

Device Drivers  --->
    Character devices  --->
        [ ]   Legacy (BSD) PTY support
    Graphics support  --->
        Console display driver support  --->
            [*] Framebuffer Console support
    [*] IOMMU Hardware Support  --->
        IOMMU default domain type (Translated - Strict)  --->

File systems  --->
    Pseudo filesystems  --->
        [ ]   /proc/kcore support

Security options  --->
    [*] Enable different security models

Kernel 6.1

Do all settings from 5.15 and ADDITIONALLY:

KERNEL
Security options  --->
    Kernel hardening options  --->
        Randomize layout of sensitive kernel structures (Limit randomization of structure layout to cache-lines)  --->

Bad option

If you have enabled the really "bad" option "DEBUG_FS" it could be possible you must disable another option, because "ACPI_CUSTOM_METHOD" depends on "DEBUG_FS"; but it is much more better to disable "DEBUG_FS" (then you dont have "ACPI_CUSTOM_METHOD"). If you dont have enabled "DEBUG_FS" you will find this option only by pressing "z" and it is disabled by default (and you have nothing to do here):

KERNEL
Power management and ACPI options  --->
    [*] ACPI (Advanced Configuration and Power Interface) Support  --->
        - -   Allow ACPI methods to be inserted/replaced at run time

Slow System start ?

If you boot the first time with these new settings you will notice that your kernel needs longer to start. Before it took 1.2 seconds (until "Run /sbin/init as init process") and now kernel needs 2.5 seconds. If you think this is crazy; these settings have halved my CPU performance ... then don't worry ... and look carefully into your dmesg output and examine the timestamps. You will find something like this:

root #dmesg
[...]
[    0.030070] mem auto-init: stack:all(zero), heap alloc:on, heap free:on
[    0.030071] mem auto-init: clearing system memory may take some time...
[    0.030076] software IO TLB: area num 8.
[    1.358628] Memory: 16087256K/16653428K available (14343K kernel code, 1960K rwdata, 2456K rodata, 1564K init, 2888K bss, 565912K reserved, 0K cma-reserved)
[...]

(As you can see I have 16 GB RAM; machine is an Intel i7; but it doesn't matter how many cores your CPU has).

Yes, for security reasons your kernel will clear now your whole memory (with ONE Core of your CPU). If you have a 64 GB RAM machine you can expect it took aprox. 5 seconds.

More Hardening Options

With kernel version 6.1 we have one new option which is not listed in KSPP recommendation (from 2022-11-01). I have enabled it nevertheless:

KERNEL
Kernel hacking  --->
    Memory Debugging  --->
        [*] Check for invalid mappings in user page tables
        [*]   Enforce the page table checking by default


Note
This is my third try for creating a wiki article. Maybe some formatting is wrong. Because it is a tutorial and not a reference guide I ignored the standard of not writing in first or second person. Yes, my english is very poor.