Re: hardening-check can detect whether kernel is protected or not
On 02/01/2019 17:48, Yves-Alexis Perez wrote: > On Wed, 2019-01-02 at 17:37 +0100, Mikhail Morfikov wrote: >> I have one question. Let's say I set the kernel options that are described >> here[1]. Do I have to use DEB_BUILD_MAINT_OPTIONS or set any additional flags >> in the debian/rules file to get some extra protection? Does the >> DEB_BUILD_MAINT_OPTIONS variable do something in the case of building the >> linux kernel? > > No, DEB_BUILD_MAINT_OPTIONS is not used for that. If you want to tune the > kernel configuration you need to follow the kernel handbook ( > https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html#s4.2.3 > ) > > Most of the kernel options recommended on the KSPP page are either enabled or > not relevant for a distribution kernel. There are some left which would be > nice to have (like some gcc plugins) and unsupported for now, but that's all. > Thanks for the info. signature.asc Description: OpenPGP digital signature
Re: hardening-check can detect whether kernel is protected or not
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, 2019-01-02 at 17:37 +0100, Mikhail Morfikov wrote: > I have one question. Let's say I set the kernel options that are described > here[1]. Do I have to use DEB_BUILD_MAINT_OPTIONS or set any additional flags > in the debian/rules file to get some extra protection? Does the > DEB_BUILD_MAINT_OPTIONS variable do something in the case of building the > linux kernel? No, DEB_BUILD_MAINT_OPTIONS is not used for that. If you want to tune the kernel configuration you need to follow the kernel handbook ( https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html#s4.2.3 ) Most of the kernel options recommended on the KSPP page are either enabled or not relevant for a distribution kernel. There are some left which would be nice to have (like some gcc plugins) and unsupported for now, but that's all. Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlws628ACgkQ3rYcyPpX RFuq7wgAjwEGti43/zBpdxYSodwujnyh5CGN9k2KDpKtd4UtEJRP9+jWOT3eFuo3 8lKN+nojE7DuxYSJmW9NgXV95DNh1mx191ADRs3brbtV30dSoVP46EfypD/w4rVR u2QJEEZueQiR7y1qE1nqfhuNY+OTSTlgeYsHbOQ4S5hyn7Yvu3gUf3QXaMOVybnu +7sbfc62mnXuvwywYU2H891SSjjDd4yf0YUkr1uWWdhWHMvzBulEsj6s8b0QBvWq DPJAGKd/CUp66R8DVyfY68G7rCam+lrX4DeK3gpPR1npFyIptMdXin64vXRhkaJr 1vZ0ct5r2p8GB0Un7371YEJOIvaQGw== =1cPi -END PGP SIGNATURE-
Re: hardening-check can detect whether kernel is protected or not
On 02/01/2019 15:28, Yves-Alexis Perez wrote> the kernel is not a standard ELF binary, so you can't really run hardening- > check on it and expect sound results. > > Yes, the kernel has some protection/hardening (see for example the work done > by the Kernel Self Protection Project). I have one question. Let's say I set the kernel options that are described here[1]. Do I have to use DEB_BUILD_MAINT_OPTIONS or set any additional flags in the debian/rules file to get some extra protection? Does the DEB_BUILD_MAINT_OPTIONS variable do something in the case of building the linux kernel? [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings signature.asc Description: OpenPGP digital signature
Re: hardening-check can detect whether kernel is protected or not
On Wed, 2019-01-02 at 03:08 +0100, Mikhail Morfikov wrote: > Also how to get "not stripped" instead of "stripped" kernel? It is available as the file `vmlinux` at the root of the source tree after building, if you still have access to that. There is also the `linux-image-$(uname -r)-dbg` packages which contains ./usr/lib/debug/boot/vmlinux-$(uname -r)` which I think (but am not entirely sure) is that same binary. That said, Yves-Alexis is correct that despite being an ELF binary the kernel is in some ways a bit of a special case, so one shouldn't necessarily expect tools intended for normal userspace ELF files to DTRT with it. Ian.
Re: hardening-check can detect whether kernel is protected or not
On 02/01/2019 16:08, Ian Campbell wrote: > It is available as the file `vmlinux` at the root of the source tree > after building, if you still have access to that. Yes, it is. > That said, Yves-Alexis is correct that despite being an ELF binary the > kernel is in some ways a bit of a special case, so one shouldn't > necessarily expect tools intended for normal userspace ELF files to > DTRT with it. Thanks for the info. signature.asc Description: OpenPGP digital signature
Re: hardening-check can detect whether kernel is protected or not
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, 2019-01-02 at 03:08 +0100, Mikhail Morfikov wrote: > So does the kernel is protected or not? If yes, why hardening-check can't > detect it? > Also how to get "not stripped" instead of "stripped" kernel? Hi, the kernel is not a standard ELF binary, so you can't really run hardening- check on it and expect sound results. Yes, the kernel has some protection/hardening (see for example the work done by the Kernel Self Protection Project). Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlwsyqUACgkQ3rYcyPpX RFtdiAgAvD9bj/rTlhbHMOkSQQbgoAcpksqIFJQ9HaCMVjDwb6RWc3Dz0IQItJnu nj2tLZ6An8LJXo5oAoMTCBvBvWGt4/NsedYdVa1Q/610llWJqHg/VfMR4TZaoN8J 0ZWCGD2qwAMx5MZYJ7GQYlXqRpBp+aRvdHd3+DlDo7O+vEKuoQb0bXYolqkgnV4L UQGgtbCjVfE7V3/pmfBOMBk6ZhpxilLROmFTtL5abtNh81T6P+sOaFKfOjRcufE3 Tmb7qqK9IRJLL48WUtwX5mXyWl/TOTaig23ESfwWOvmCy1pGvh4fERpY9k3W9Y2T D9iXxQ4nN6yBUu9PXxs76h/IglBEVg== =ORnQ -END PGP SIGNATURE-
hardening-check can detect whether kernel is protected or not
When I run hardening-check on some binary I get results similar the following: # hardening-check /usr/bin/firefox /usr/bin/firefox: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! But when I do the hardening check on kernel, I get: # /usr/src/linux-source-4.19/scripts/extract-vmlinux /boot/vmlinuz-4.19.13-amd64-morficzny > /tmp/kernel-morficzny # file /tmp/kernel-morficzny /tmp/kernel-morficzny: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=552fa51a31ac5536ef9c729c7755719f1e62f34d, stripped # hardening-check /tmp/kernel-morficzny /tmp/kernel-morficzny: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: no, not found! Immediate binding: no, not found! I compiled this kernel myself, by editing the file /usr/src/linux-source-4.19/scripts/package/builddeb and adding the following to the rules file: ... cat < debian/rules #!$(command -v $MAKE) -f ... export DEB_BUILD_MAINT_OPTIONS = hardening=+all qa=+all DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk CFLAGS += -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic CXXFLAGS += -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic CPPFLAGS += -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic LDFLAGS += -Wl,-O2 -Wl,--as-needed -Wl,-z,defs -Wl,-shared ... The extra flags at the end comes from some HowTo -- they simply said the flags should be set. When I've checked what flags were set while building the kernel, I can see this: # make -j2 bindeb-pkg ... dpkg-buildflags --status dpkg-buildflags: status: environment variable DEB_BUILD_MAINT_OPTIONS=hardening=+all qa=+all dpkg-buildflags: status: environment variable DEB_BUILD_OPTIONS=parallel=2 dpkg-buildflags: status: environment variable DEB_HOST_ARCH=amd64 dpkg-buildflags: status: vendor is Debian dpkg-buildflags: status: future features: lfs=no dpkg-buildflags: status: hardening features: bindnow=yes format=yes fortify=yes pie=yes relro=yes stackprotector=yes stackprotectorstrong=yes dpkg-buildflags: status: qa features: bug=yes canary=yes dpkg-buildflags: status: reproducible features: fixdebugpath=yes fixfilepath=no timeless=yes dpkg-buildflags: status: sanitize features: address=no leak=no thread=no undefined=no dpkg-buildflags: status: CFLAGS [vendor]: -g -O2 -Werror=array-bounds -Werror=clobbered -Werror=volatile-register-var -Werror=implicit-function-declaration -D__DEB_CANARY_CFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security dpkg-buildflags: status: CPPFLAGS [vendor]: -D__DEB_CANARY_CPPFLAGS_8a057268a74a5f1201285aa667585e15__ -Wdate-time -D_FORTIFY_SOURCE=2 dpkg-buildflags: status: CXXFLAGS [vendor]: -g -O2 -Werror=array-bounds -Werror=clobbered -Werror=volatile-register-var -Werror=implicit-function-declaration -D__DEB_CANARY_CXXFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security dpkg-buildflags: status: FCFLAGS [vendor]: -g -O2 -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong dpkg-buildflags: status: FFLAGS [vendor]: -g -O2 -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong dpkg-buildflags: status: GCJFLAGS [vendor]: -g -O2 -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong dpkg-buildflags: status: LDFLAGS [vendor]: -Wl,-z,deb-canary-8a057268a74a5f1201285aa667585e15 -Wl,-z,relro -Wl,-z,now dpkg-buildflags: status: OBJCFLAGS [vendor]: -g -O2 -D__DEB_CANARY_OBJCFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security dpkg-buildflags: status: OBJCXXFLAGS [vendor]: -g -O2 -D__DEB_CANARY_OBJCXXFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security And when testing if for instance CFLAGS has the additional flags, I can see it has: -g -O2 -Werror=array-bounds -Werror=clobbered -Werror=volatile-register-var -Werror=implicit-function-declaration -D__DEB_CANARY_CFLAGS_b5b0db7f3a77ca4fcf9eca57aa7181ca__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic So does the kernel is protected or not? If yes, why hardening-check can't detect it? Also how to get "not stripped" instead of "stripped" kernel? signature.asc Description: OpenPGP digital signature