Re: [gentoo-dev] Hardening a default profile

2017-06-17 Thread Alexis Ballier 
On Sat, 17 Jun 2017 14:43:24 +0300
Andrew Savchenko  wrote:

> On Thu, 15 Jun 2017 19:52:07 -0500 Matthias Maier wrote:
> > > there should be a way of turning these off systematically.  the
> > > advantage of the current hardened gcc specs is that one can switch
> > > between them using gcc-config.  if these are forced on for the
> > > default profile then there will be no easy way to systematically
> > > turn them off.  
> > 
> > No - there won't be an easy way for systematically turning off
> > SSP and PIE in 17.0 profiles [1,2].
> > 
> > The hardened toolchain with its different gcc profiles came from a
> > time where SSP and PIE were relatively new security features and a
> > certain amount of fine-grained control was needed. Further, at that
> > time we were talking about external patches against gcc. Nowadays
> > everything is upstreamed and (almost) no patches to gcc for
> > hardened profiles are applied any more.
> > 
> > Given the fact that all major linux distributions are following the
> > path of improved default hardening features (see for example [1])
> > and that we have been using ssp/pie in hardened profiles for years
> > now the purpose of fine-grained control over ssp/pie is also highly
> > questionable.
> > 
> > The consensus at the moment is that PIE and SSP (as well as stricter
> > linker flags) will soon be standard (or, actually *are* already
> > standard) compilation options. A per-package override (if
> > absoluetely needed) is fine - and, in fact, already in place
> > everywhere where needed.  
> 
> Gentoo is all about choice, remember? :)
> 
> It is really good to have them by default, it is bad to force them
> on everyone. Security is not always of paramount importance
> comparing to other factors, sometimes performance matters more,
> e.g. in isolated and restricted non-public HPC environment.
> 
> PIE, SSP may lead up to 8% of performance loss[1]. The
> stack-protector (especially stack-protector-all or -strong) may
> cause even more damage. For compute nodes this may be equivalent to
> millions USD loss (depends on the system scale of course).

This can probably be fixed by a gcc-config target disabling those as it
used to be the case on hardened

Re: [gentoo-dev] Hardening a default profile

2017-06-17 Thread Andrew Savchenko 
On Thu, 15 Jun 2017 19:52:07 -0500 Matthias Maier wrote:
> > there should be a way of turning these off systematically.  the
> > advantage of the current hardened gcc specs is that one can switch
> > between them using gcc-config.  if these are forced on for the default
> > profile then there will be no easy way to systematically turn them off.
> 
> No - there won't be an easy way for systematically turning off
> SSP and PIE in 17.0 profiles [1,2].
> 
> The hardened toolchain with its different gcc profiles came from a time
> where SSP and PIE were relatively new security features and a certain
> amount of fine-grained control was needed. Further, at that time we were
> talking about external patches against gcc. Nowadays everything is
> upstreamed and (almost) no patches to gcc for hardened profiles are
> applied any more.
> 
> Given the fact that all major linux distributions are following the path
> of improved default hardening features (see for example [1]) and that we
> have been using ssp/pie in hardened profiles for years now the purpose
> of fine-grained control over ssp/pie is also highly questionable.
> 
> The consensus at the moment is that PIE and SSP (as well as stricter
> linker flags) will soon be standard (or, actually *are* already
> standard) compilation options. A per-package override (if absoluetely
> needed) is fine - and, in fact, already in place everywhere where
> needed.

Gentoo is all about choice, remember? :)

It is really good to have them by default, it is bad to force them
on everyone. Security is not always of paramount importance
comparing to other factors, sometimes performance matters more,
e.g. in isolated and restricted non-public HPC environment.

PIE, SSP may lead up to 8% of performance loss[1]. The
stack-protector (especially stack-protector-all or -strong) may
cause even more damage. For compute nodes this may be equivalent to
millions USD loss (depends on the system scale of course).

[1] https://bugs.archlinux.org/task/18864

Best regards,
Andrew Savchenko


pgpmrLyPiaNJH.pgp
Description: PGP signature

Re: [gentoo-dev] Hardening a default profile

2017-06-15 Thread Matthias Maier 
> there should be a way of turning these off systematically.  the
> advantage of the current hardened gcc specs is that one can switch
> between them using gcc-config.  if these are forced on for the default
> profile then there will be no easy way to systematically turn them off.

No - there won't be an easy way for systematically turning off
SSP and PIE in 17.0 profiles [1,2].

The hardened toolchain with its different gcc profiles came from a time
where SSP and PIE were relatively new security features and a certain
amount of fine-grained control was needed. Further, at that time we were
talking about external patches against gcc. Nowadays everything is
upstreamed and (almost) no patches to gcc for hardened profiles are
applied any more.

Given the fact that all major linux distributions are following the path
of improved default hardening features (see for example [1]) and that we
have been using ssp/pie in hardened profiles for years now the purpose
of fine-grained control over ssp/pie is also highly questionable.

The consensus at the moment is that PIE and SSP (as well as stricter
linker flags) will soon be standard (or, actually *are* already
standard) compilation options. A per-package override (if absoluetely
needed) is fine - and, in fact, already in place everywhere where
needed.

Thus, we should go with the time and simply force these well tested
hardening features on platforms that support it.

Best,
Matthias

[1] for amd64/x86 and well supported profiles

[2] there is always the possibility to override forced use flags

[1] https://wiki.debian.org/Hardening/PIEByDefaultTransition


signature.asc
Description: PGP signature

Re: [gentoo-dev] Hardening a default profile

2017-06-15 Thread Anthony G. Basile 
On 6/15/17 11:20 AM, Matthias Maier wrote:
> Hi Michael,
> 
> On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman 
>  wrote:
> 
>> So I was just wondering if ~arch is ready for more secure defaults on
>> the 17.0 profiles in the linker flags.  There are several
>> distributions which ship RELRO by default and I am not aware of any
>> performance issues regarding this.
> 
> We (i.e. toolchain) are in the process of enabling quite a number of
> security hardening features on default profiles. In particular
> 
>  - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles
> 

there should be a way of turning these off systematically.  the
advantage of the current hardened gcc specs is that one can switch
between them using gcc-config.  if these are forced on for the default
profile then there will be no easy way to systematically turn them off.

for those who don't used hardened, gcc-config -l on hardened profile gives:

 [1] x86_64-pc-linux-gnu-5.4.0 *
 [2] x86_64-pc-linux-gnu-5.4.0-hardenednopie
 [3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp
 [4] x86_64-pc-linux-gnu-5.4.0-hardenednossp
 [5] x86_64-pc-linux-gnu-5.4.0-vanilla

while on the default profiles it gives:

 [1] x86_64-pc-linux-gnu-5.4.0 *

[5] on the hardened profile is equivalent to [1] on the vanilla.

maybe we should consider merging the hardened and default profiles?

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] Hardening a default profile

2017-06-15 Thread Matthias Maier 
Hi Michael,

On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman 
 wrote:

> So I was just wondering if ~arch is ready for more secure defaults on
> the 17.0 profiles in the linker flags.  There are several
> distributions which ship RELRO by default and I am not aware of any
> performance issues regarding this.

We (i.e. toolchain) are in the process of enabling quite a number of
security hardening features on default profiles. In particular

 - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles

 - enable additional hardening features for glibc-2.25 and newer
   (will be merged soon).

But, yes. Updated linker flags are a very good point. I have put updated
linker flags on the toolchain meeting agenda for next week.


The hardened profiles (even used without a hardened kernel) will serve
an important difference in the future. While we try to enable as many
security features on default profiles as possible, we have to compromise
between security features and not introducing regressions. The hardened
profiles will thus have more aggressive security features enabled for
the foreseeable future (at the cost of more potential breakage).

Best,
Matthias

Re: [gentoo-dev] Hardening a default profile

2017-06-15 Thread Tiziano Müller 
Hi Michael

Am 11.06.2017 um 23:39 schrieb Michael Brinkman:
>  Hello, so I've been running Gentoo Hardened for a few years on my
> laptop, my desktop, and a server made from an older desktop.
> 
> Because of Grsecurity closing access to its source to non-subscribers,
> I decided that I would just try to stick with Gentoo-sources and
> harden the default profile and follow the KSSP guidelines to get as
> close as possible without losing the testing kernel.  Because of this,
> I no longer used the PaX features and decided switch to the default
> profile and enabling my own flags.

The security people probably have more insight, but I personally run by
default the hardened profile, also in combination with gentoo-sources if
there were too many compatibility issues with the software I had to run
on that specific machine.
So, from my point of view there is no reason to switch to the default
profile just because the grsec-kernel-patchset isn't open source anymore.

Best regards,
Tiziano

[gentoo-dev] Hardening a default profile

2017-06-11 Thread Michael Brinkman 
 Hello, so I've been running Gentoo Hardened for a few years on my
laptop, my desktop, and a server made from an older desktop.

Because of Grsecurity closing access to its source to non-subscribers,
I decided that I would just try to stick with Gentoo-sources and
harden the default profile and follow the KSSP guidelines to get as
close as possible without losing the testing kernel.  Because of this,
I no longer used the PaX features and decided switch to the default
profile and enabling my own flags.

I enabled pie, ssp, and appended my CFLAGS with -fstack-protector-all
and LDFLAGS with full RELRO support (and --sort-common). I saw that
GCC still uses the FORTIFY patch so I didn't need to add that. So far
I've had absolutely no issues with this setup but I was trying to see
if there's anything else I could do to bridge it closer to where it
was and noticed that there are several warnings against this as it
could break packages (including glibc). I've had no breakages myself
that are visable at least and no build failures.

So I was just wondering if ~arch is ready for more secure defaults on
the 17.0 profiles in the linker flags.  There are several
distributions which ship RELRO by default and I am not aware of any
performance issues regarding this.  At least to me it shouldn't be
warned against unless there are lots of build failures these days.  Of
course though, I'm not a dev and would like to see your perspective on
this.

Thank you,
Michael Brinkman