kconfig-hardened-check icon indicating copy to clipboard operation
kconfig-hardened-check copied to clipboard

Published 20 hours ago verified publisher icon a13xp0p0v

Suggestions for kernel-hardening-checker

Open asarubbo opened this issue 11 months ago • 3 comments

Hello @a13xp0p0v

I have two suggestions for kernel-hardening-checker

  1. It's a matter of fact that enable all suggested security features impact on perfomance and I have verified this by myself, e.g. a 64 threads modern server takes 10 more minutes to compile chromium. Would be great have a column that gives a rank (from 1-10) maybe about how much a CONFIG_* impacts on performance. To give an idea about what I'm talking, with a general example with C and stack protection: FORTIFY_SOURCE has impact of 1; -fstack-protector-strong has an impact of 5; -fstack-protector-all has an impact of 8;

Rank number can be on your judge with will give the idea to the user.

  1. I noticed that the option do not follow the order from menuconfig. For example for enable the first suggestion from kernel-hardening-checker I need to go in a section of the kernel, then for the second suggestion I need to go to another section, and for the third I maybe come back to the section of the first suggestion. That takes a lot of time for navigating into the menuconfig sections, while group CONFIG_* based on the menuconfig order will save a lot of time.

Thanks

asarubbo avatar Mar 07 '24 09:03 asarubbo

I had similar thoughts, the performance rating sounds sensible but is probably difficult to implement because you always have to ask yourself in which scenario you achieve a plus or not. I would say that someone who uses the suggestions does not use them from a performance point of view but from a security point of view.

migrgh avatar Mar 16 '24 00:03 migrgh

Hello @asarubbo and @migrgh!

Would be great have a column that gives a rank (from 1-10) maybe about how much a CONFIG_* impacts on performance.

@asarubbo, that's an interesting idea. Could you please describe it in the issue #66 as well?

However, creating such a rating would not be easy because some kernel security features have different performance penalty depending on the type of system workload (a number and type of system calls, for example).

Do you have an idea which particular kernel option makes your system run slow on compiling chromium?

First of all, I would recommend comparing performance of the default configuration and hardened configuration without mitigations=auto,nosmt and nosmt boot options (they may have the biggest performance penalty). I guess, in that comparison, you will not see a big difference in the chromium compilation time.

a13xp0p0v avatar Mar 17 '24 14:03 a13xp0p0v

I noticed that the option do not follow the order from menuconfig.

@asarubbo, yes, that's true. Currently, the options are sorted by the complexity of the checking rule. It's easier for maintenance.

You have multiple options to avoid exhausting navigation in menuconfig.

  • Try using search in menuconfig: press '/', enter the option name, hit enter, and then choose the number (1, 2, 3, ...) of the option that you want to see. I like it.
  • Try automatic merging of the Kconfig fragment with options that you want to change. See the example in the README.

a13xp0p0v avatar Mar 17 '24 14:03 a13xp0p0v

Closing for now. Feel free to reopen this issue, if you have new info. Thanks!

a13xp0p0v avatar Sep 04 '24 12:09 a13xp0p0v