heads
heads copied to clipboard
linuxboot
DRAFT : Proposed kernel configuration improvements to enhance security
I was looking at heads' kernel config (for nitropad-nv41 in my case), and I thought there might be some options that would be worth changing (“y”->“is not set”, “is not set”->“y” and some literal values). This idea comes to me from a13xp0p0v's project kernel-hardening-checker, which aims to verify the security of a linux kernel. It's true that this project is more for server or desktop linux, but I think some options could be useful in the case of head. I'm talking about the following options: From "y" to "is not set" :
CONFIG_SLAB_MERGE_DEFAULT
CONFIG_MODULES
CONFIG_DEVMEM
CONFIG_LDISC_AUTOLOAD
CONFIG_FB
CONFIG_VT
CONFIG_DEVPORT
CONFIG_IO_URING
CONFIG_KCMP
~CONFIG_X86_IOPL_IOPERM //"needed by flashrom"
CONFIG_ACPI_TABLE_UPGRADE
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS
~CONFIG_MAGIC_SYSRQ // "sysrq for safe belts"
~CONFIG_MAGIC_SYSRQ_SERIAL // "sysrq for safe belts"
From to "is not set" to "y" :
CONFIG_INIT_STACK_ALL_ZERO
CONFIG_DEBUG_WX
CONFIG_X86_KERNEL_IBT
CONFIG_BUG_ON_DATA_CORRUPTION
CONFIG_SLAB_FREELIST_HARDENED
CONFIG_SLAB_FREELIST_RANDOM
CONFIG_SHUFFLE_PAGE_ALLOCATOR
CONFIG_FORTIFY_SOURCE
CONFIG_DEBUG_SG
CONFIG_INIT_ON_ALLOC_DEFAULT_ON
CONFIG_SCHED_CORE
CONFIG_KFENCE
CONFIG_KFENCE_SAMPLE_INTERVAL
CONFIG_INIT_ON_FREE_DEFAULT_ON
CONFIG_EFI_DISABLE_PCI_DMA
CONFIG_GCC_PLUGIN_STACKLEAK
CONFIG_STACKLEAK_METRICS
CONFIG_STACKLEAK_RUNTIME_DISABLE
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT
CONFIG_PAGE_TABLE_CHECK
CONFIG_PAGE_TABLE_CHECK_ENFORCED
~CONFIG_HW_RANDOM_TPM //"uneeded" ?
CONFIG_CFI_AUTO_DEFAULT
CONFIG_SECCOMP
Literal values :
CONFIG_BLK_DEV_LOOP_MIN_COUNT: from "8" to "4"
CONFIG_KFENCE_SAMPLE_INTERVAL: from "0" to "100" #With CONFIG_KFENCE
CONFIG_ARCH_MMAP_RND_BITS: from "28" to "32"
CONFIG_NR_CPUS": from "32" to "24" //After speaking with TLaurion, it seems that 32 is a default value, so as not to bother (the board with the most CPUs would have 32 cores?), setting it to 32 is just for consistency and ease.
Please note that some options are changed automatically, but only after running the command “make BOARD=nitropad-nv41 linux.prompt_for_new_config_options_for_kernel_version_bump”. This is a draft, so I haven't checked whether it's really a problem to change the GCC version, etc, at the moment.
I'm adding a mod.md file here, which lists all the modules and linux CONFIGs required for traceability.
obviously DO NOT merge
@aluciani please review superseeding PR at #1817 (applied on top of 6.1.8 kernel config unifying branch, where you can only review config/linux-nitropad-x.config under that PR, commenting on lines of the config for easier review.
@aluciani as noted under CI, commits unsigned fail CI at https://github.com/linuxboot/heads/pull/1816/checks?check_run_id=31787361888
@aluciani this is nice exercise. Wondering if https://github.com/a13xp0p0v/kernel-hardening-checker should be added under nix docker image and some self-test should be added in CI in long term to make those checks automatic and warn of security regressions, somehow.
Note that final change on nv41 linux config file can be observed directly under https://github.com/linuxboot/heads/pull/1817/files#diff-782b88c1e0e03988fb8336bd99c65310869be9f3c1e3a88a1be57bcd5ab7c4e8