Skip to content

Home

Jump to bottom
Daniel Micay edited this page May 11, 2017 · 36 revisions

Note: early stub content moved from the Gentoo wiki, and does yet reflect the project's goals or consensus, just brainstorming

The Hardened Kernel Project is seeking to merge Grsecurity/PaX features into the upstream kernel.

Hardened Kernel Project

Project Facilitators

This community project does not have leaders per se. We are here to facilitate communication between different parties working on security features for the upstream Linux kernel.

Contributor Nickname Role Contact
Matt Brown nmatt Project Lead matt at nmatt.com
r3g3x r3g3x Developer
Kees Cook kees KSPP/Upstream Liaison, Developer keescook at chromium.org
Daniel Micay strcat / thestinger CopperheadOS project lead, Arch Linux linux-hardened package maintainer (previously linux-grsec/linux-grsec-lts/gradm/paxd) [email protected]

Why?

Project Goals

Our goals are:

  • Encourage and facilitate open source development of security features for the Linux kernel.
  • Track progress of development work.
  • Maintain a set of patches for security features that have not yet been merged into mainline.
  • Remain distribution agnostic. We want to focus on patches that affect Linux directly.
  • Work with the KSPP.

Philosophy

All are welcome!

  • We need all the help we can get. Think you're lacking the skills? Feel like there's nothing you could do with your current skillset? Let us prove you wrong!

Resources

Get Involved

Want to contribute to the project? Here is how to get started.

Communication

We do not have our own irc channel or mailing list. However we hangout/communicate in the following ways

  • Main IRC channel: ##linux-hardened on irc.freenode.net

  • Relevant IRC channels:

    • #pax on irc.oftc.net

    • #gentoo-hardened on irc.freenode.net

    • #droidsec on irc.freenode.net

  • kernel hardening mailing list

Contribute

We welcome the following help

  • Testing
  • Feature Merges
    • We are currently working adding features to our out-of-tree patchset. Talk to one of us and let us know if there is a feature you want to work on.
  • Upstreaming
    • The long term goal is to get all security features from this project into the linux kernel itself.

Code Repos and Patches

Description Link HKP Repo
Basic set of hardening patches for mainline https://github.com/thestinger/linux-hardened Yes
Hardened Kernel Project Patches https://github.com/thestinger/linux-hardened/releases Yes
Unofficial forward ports of the last publicly available grsecurity patch https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec No

Progress tracking

Porting grsecurity features:

grsecurity kernel config Mainline kernel config Upstream Notes Point of Contact
CONFIG_PAX_KERNEXEC n/a Upstream __ro_after_init does a tiny piece of PaX __read_only. Upstream constification and __read_only making slow progress (https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/write-rarely). Other KERNEXEC pieces still in need of scoping. Requires CONFIG_PAX_CONSTIFY_PLUGIN.
CONFIG_PAX_MEMORY_SANITIZE CONFIG_CMDLINE=“slub_debug=P� (bad idea! see rest), CONFIG_PAGE_POISONING, CONFIG_PAGE_POISONING_NO_SANITY (unless more security but less performance is wanted), CONFIG_PAGE_POISONING_ZERO
CONFIG_PAX_MEMORY_UDEREF (x86, x86_64, ARMv7) CONFIG_CPU_SW_DOMAIN_PAN (ARMv7), CONFIG_ARM64_SW_TTBR0_PAN (ARMv8.0), CONFIG_ARM64_PAN (ARMv8.1+)
CONFIG_PAX_MPROTECT
CONFIG_PAX_PAGEEXEC
CONFIG_PAX_RANDKSTACK (x86/x86_64 only)
CONFIG_PAX_REFCOUNT n/a Current upstream refcount_t work is not protecting atomic_t, so won't be as comprehensive in the near-term.
CONFIG_PAX_USERCOPY CONFIG_HARDENED_USERCOPY Missing: slab whitelisting via slab cache useroffsize / usersize ranges, and GFP_USERCOPY kmalloc segregation.
CONFIG_GRKERNSEC_BRUTE https://lkml.org/lkml/2014/12/24/306
CONFIG_GRKERNSEC_DMESG CONFIG_SECURITY_DMESG_RESTRICT
CONFIG_GRKERNSEC_HARDEN_PTRACE CONFIG_SECURITY_YAMA (stackable with other LSMs) sysctl: kernel.yama.ptrace_scope, set to 1 (scope) by default, and can also disable unprivileged (2) or all usage (3)
CONFIG_GRKERNSEC_HARDEN_TTY CONFIG_SECURITY_TIOCSTI_RESTRICT http://www.openwall.com/lists/kernel-hardening/2017/04/25/3 https://github.com/nmatt0/linux-hardened/commit/f6fd55fe4b25c59a7a436ac00de826541adce7cf
CONFIG_GRKERNSEC_HIDESYM Needs integration with CONFIG_HARDENED_USERCOPY and stronger %p restrictions
CONFIG_GRKERNSEC_KSTACKOVERFLOW (x86_64 only) CONFIG_VMAP_STACK (x86_64 only)
CONFIG_GRKERNSEC_LINK n/a sysctl: fs.protected_hardlinks, fs.protected_symlinks
CONFIG_GRKERNSEC_MODHARDEN https://lkml.org/lkml/2017/4/19/1086
CONFIG_GRKERNSEC_PROC, CONFIG_GRKERNSEC_PROC_USER, CONFIG_GRKERNSEC_PROC_USERGROUP, CONFIG_GRKERNSEC_PROC_GID n/a mount option for procfs: “hidepid=2,gid=100� (substitute 100 with gid of proc group)
CONFIG_GRKERNSEC_PROC_ADD
grsecurity slub freelist random XOR mangling (no configuration option)
grsecurity list manipulation checking (no configuration option) CONFIG_DEBUG_LIST, CONFIG_BUG_ON_DATA_CORRUPTION
CONFIG_GCC_PLUGINS CONFIG_GCC_PLUGINS GCC plugin support is a prerequisite for CONFIG_PAX_LATENT_ENTROPY, CONFIG_PAX_STRUCTLEAK, CONFIG_GRKERNSEC_RANDSTRUCT, CONFIG_PAX_MEMORY_STACKLEAK, CONFIG_PAX_KERNEXEC, and CONFIG_PAX_RAP.
CONFIG_PAX_CONSTIFY_PLUGIN CONFIG_GCC_PLUGIN_CONSTIFY] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/write-rarely
CONFIG_PAX_LATENT_ENTROPY CONFIG_GCC_PLUGIN_LATENT_ENTROPY Needs https://patchwork.kernel.org/patch/9143023/
CONFIG_PAX_MEMORY_STACKLEAK (x86 only)
CONFIG_PAX_RAP (x86_64 only) Requires extensive fixes to kernel function prototypes.
CONFIG_PAX_STRUCTLEAK CONFIG_GCC_PLUGIN_STRUCTLEAK
CONFIG_GRKERNSEC_RANDSTRUCT CONFIG_GCC_PLUGIN_RANDSTRUCT https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/gcc-plugin/randstruct-next-20170418
Clone this wiki locally