Merge branch 'madaidan-kernel-hardening'

debian/control

@@ -56,7 +56,9 @@ Description: enhances misc security settings
   * Slab merging is disabled as sometimes a slab can be used in a vulnerable
  way which an attacker can exploit.
  .
-  * Sanity checks, redzoning, and memory poisoning are enabled.
+  * Sanity checks and redzoning are enabled.
+ .
+  * Memory zeroing at allocation and free time is enabled.
  .
   * Machine checks (MCE) are disabled which makes the kernel panic
  on uncorrectable errors in ECC memory that could be exploited.
@@ -106,6 +108,14 @@ Description: enhances misc security settings
  .
   * The MSR kernel module is blacklisted to prevent CPU MSRs from being
  abused to write to arbitrary memory.
+ .
+  * Vsyscalls are disabled as they are obsolete, are at fixed addresses and are
+ a target for ROP.
+ .
+  * Page allocator freelist randomization is enabled.
+ .
+  * Kernel lockdown is enabled.
+ .
  .
  Improve Entropy Collection
  .

etc/default/grub.d/40_kernel_hardening.cfg

@@ -1,18 +1,29 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 
-## Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
+kver="$(uname -r)"
+
+## Disables the merging of slabs of similar sizes.
+## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 
-## Enables sanity checks (F), redzoning (Z) and poisoning (P).
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"
+## Enables sanity checks (F) and redzoning (Z).
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
 
-if command -v "qubesdb-read" >/dev/null 2>&1 ; then
+## Zero memory at allocation and free time.
+if dpkg --compare-versions "${kver}" ge "5.3"; then
+  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
+else
+  ## SLUB poisoning and page poisoning is used if the kernel
+  ## does not yet support init_on_{,alloc,free}.
+  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P"
+
+  if command -v "qubesdb-read" >/dev/null 2>&1 ; then
      ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
      true "skip adding page_poison=1 in Qubes"
-else
-   ## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
+  else
      GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
+  fi
 fi
 
 ## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
@@ -24,3 +35,16 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
 ## Enables all mitigations for the MDS vulnerability.
 ## Disables smt which can be used to exploit the MDS vulnerability.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
+
+## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
+
+## Enables page allocator freelist randomization.
+if dpkg --compare-versions "${kver}" ge "5.2"; then
+  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
+fi
+
+## Enables kernel lockdown.
+if dpkg --compare-versions "${kver}" ge "5.4"; then
+  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
+fi