On 20/08/19 23:19, Rich Brown wrote:
Dmitry,
On Aug 20, 2019, at 11:58 AM, Dmitry Tunin <[email protected]> wrote:
Rich,
OpenWrt is a Linux distro. It has all security as any other one. All
CVE are timely addressed.
There is no need for special tests.
Yes, but... Virtually all the other vendor's firmware are "Linux distro's" as
well. And if I understand the CITL scan process, it shows lots of bad build practices in
the vendor firmware source code.
Can anyone speak to whether OpenWrt builds use any/all of those techniques
called out to provide additional security? OpenWrt's modern kernel provides a
bunch of security. That may be good enough, even if builds don't use all those
techniques. And if we have implemented them, we can further differentiate
ourselves from vendor firmware...Thanks.
Rich
Vendor firmware aren't usually distros. They are not created by
assembling modular packages, they usually come from a SDK,
which is a "prebuilt Linux system" bundled with the cross-compiling
toolchain, that was assembled manually by the SoC manufacturer
and allows the OEM to have a working system where they only need to add
their own customizations (usually a web interface and such).
They are a "Linux From Scratch" system, while a distro is a modular
system made of packages assembled depending on need.
That said, OpenWrt's compile-time security functionality is defined here
(where you find also some descriptions)
https://github.com/openwrt/openwrt/blob/master/config/Config-build.in
and by default
"gcc format-security" is enabled
"User space Stack-Smashing Protection" is set to "Regular"
"Kernel space Stack-Smashing Protection" is also set to "Regular"
"Enable buffer-overflows detection (FORTIFY_SOURCE)" is enabled and set
to "Conservative"
"Enable RELRO protection" is set to "Full"
"User space ASLR PIE compilation" is disabled by default
Userspace ALSR is enabled on the kernel config for most (all?) targets
https://github.com/openwrt/openwrt/search?q=CONFIG_ARCH_HAS_ELF_RANDOMIZE%3Dy&unscoped_q=CONFIG_ARCH_HAS_ELF_RANDOMIZE%3Dy
This is the description of the feature in Linux upstream
https://github.com/torvalds/linux/blob/4064e47c82810586975b4304b105056389beaa06/Documentation/features/vm/ELF-ASLR/arch-support.txt
KALSR (kernel side ALSR) is not enabled on any target.
https://github.com/openwrt/openwrt/search?p=1&q=CONFIG_RANDOMIZE_BASE%3Dy&unscoped_q=CONFIG_RANDOMIZE_BASE%3Dy
Here an upstream description of that
https://github.com/torvalds/linux/blob/master/arch/x86/Kconfig#L2126
It's interesting to note how apparently upstream enables it by default
on x86 and Arm at least (and others too I guess), while in OpenWrt this
is still disabled.
-Alberto
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
