Merge pull request #111 from raja-grewal/harden

Increased kernel hardening at boot

README.md

@@ -40,6 +40,8 @@ arbitrary code execution in kernel mode.
 * The bits of entropy used for mmap ASLR are increased, therefore improving
 its effectiveness.
 
+* Randomises the addresses for mmap base, heap, stack, and VDSO pages.
+
 * Prevents unintentional writes to attacker-controlled files.
 
 * Prevents common symlink and hardlink TOCTOU races.
@@ -54,19 +56,13 @@ prevents writing potentially sensitive contents of memory to disk.
 
 ### Boot parameters
 
-Boot parameters are configured via the `/etc/modprobe.d/30_security-misc.conf`
-configuration file.
+Boot parameters are outlined in configuration files located in the
+`etc/default/grub.d/` directory.
 
 * Slab merging is disabled which significantly increases the difficulty of
 heap exploitation by preventing overwriting objects from merged caches and
 by making it harder to influence slab cache layout.
 
-* Sanity checks are enabled which add various checks to prevent corruption
-in certain slab operations.
-
-* Redzoning is enabled which adds extra areas around slabs that detect when
-a slab is overwritten past its real size which can help detect overflows.
-
 * Memory zeroing at allocation and free time is enabled to mitigate some
 use-after-free vulnerabilities and erase sensitive information in memory.
 
@@ -83,10 +79,15 @@ are a potential target for ROP.
 
 * The kernel panics on oopses to thwart certain kernel exploits.
 
+* Enables randomisation of the kernel stack offset on syscall entries.
+
 * All mitigations for known CPU vulnerabilities are enabled and SMT is
 disabled.
 
-* IOMMU is enabled to prevent DMA attacks.
+* IOMMU is enabled to prevent DMA attacks along with strict enforcement of IOMMU
+TLB invalidation so devices will never be able to access stale data contents.
+
+* Distrust the 'randomly' generated CPU and bootloader seeds.
 
 ### Disables and blacklists kernel modules
 

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -1,11 +1,12 @@
 ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Enables all mitigations for CPU vulnerabilities.
+## Enables all known mitigations for CPU vulnerabilities.
 ##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 
-## Enable all mitigations for Spectre Variant 2.
+## Enable mitigations for Spectre variant 2 (indirect branch speculation).
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
@@ -13,30 +14,48 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 ## Disable Speculative Store Bypass.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
 
-## Disable TSX, enable all mitigations for the TSX Async Abort
-## vulnerability and disable SMT.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
-
-## Enable all mitigations for the MDS vulnerability and disable
-## SMT.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
-
-## Enable all mitigations for the L1TF vulnerability and disable SMT
+## Enable mitigations for the L1TF vulnerability through disabling SMT
 ## and L1D flush runtime control.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
 
-## Force disable SMT as it has caused numerous CPU vulnerabilities.
+## Enable mitigations for the MDS vulnerability through clearing buffer cache
+## and disabling SMT.
 ##
-## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
+
+## Patches the TAA vulnerability by disabling TSX and enables mitigations using
+## TSX Async Abort along with disabling SMT.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
 
 ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
+
+## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
+## Only mitigated through microcode updates from Intel.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
+## https://access.redhat.com/solutions/5142691
+
+## Force disable SMT as it has caused numerous CPU vulnerabilities.
+## The only full mitigation of cross-HT attacks is to disable SMT.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+
+## Enables the prctl interface to prevent leaks from L1D on context switches.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
+
+## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"

etc/default/grub.d/40_distrust_bootloader.cfg

@@ -0,0 +1,7 @@
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Distrusts the bootloader for initial entropy at boot.
+##
+## https://lkml.org/lkml/2022/6/5/271
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"

etc/default/grub.d/40_distrust_cpu.cfg

@@ -8,4 +8,5 @@
 ## https://twitter.com/pid_eins/status/1149649806056280069
 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
 ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
+## https://lkml.org/lkml/2022/6/5/271
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"

etc/default/grub.d/40_enable_iommu.cfg

@@ -10,3 +10,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"
 ## https://mjg59.dreamwidth.org/54433.html
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
+
+## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
+## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97
+## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0 iommu.strict=1"

etc/default/grub.d/40_kernel_hardening.cfg

@@ -10,7 +10,9 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 
 ## Enables sanity checks (F) and redzoning (Z).
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
+## Disabled due to kernel deciding to implicitly disable kernel pointer hashing
+## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
 
 ## Zero memory at allocation and free time.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
@@ -27,6 +29,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 ## Enables page allocator freelist randomization.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 
+## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13).
+## https://lkml.org/lkml/2019/3/18/246
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
+
 ## Enables kernel lockdown.
 ##
 ## Disabled for now as it enforces module signature verification which breaks
@@ -47,3 +53,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
 ## https://lkml.org/lkml/2020/7/16/122
 ## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
+
+## Force the kernel to panic on "oopses" (which may be due to false positives)
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"

etc/sysctl.d/30_security-misc.conf

@@ -60,6 +60,8 @@ kernel.yama.ptrace_scope=2
 ## Prevent setuid processes from creating coredumps.
 fs.suid_dumpable=0
 
+## Randomize the addresses for mmap base, heap, stack, and VDSO pages
+kernel.randomize_va_space=2
 
 #### meta start
 #### project Kicksecure
@@ -82,11 +84,13 @@ net.ipv6.conf.default.accept_redirects=0
 ## Disables ICMP redirect sending.
 net.ipv4.conf.all.send_redirects=0
 net.ipv4.conf.default.send_redirects=0
-net.ipv6.conf.all.accept_redirects=0
-net.ipv6.conf.default.accept_redirects=0
 
 ## Ignores ICMP requests.
 net.ipv4.icmp_echo_ignore_all=1
+net.ipv6.icmp.echo_ignore_all=1
+
+## Ignores bogus ICMP error responses
+net.ipv4.icmp_ignore_bogus_error_responses=1
 
 ## Enables TCP syncookies.
 net.ipv4.tcp_syncookies=1
@@ -157,4 +161,3 @@ kernel.perf_event_paranoid=3
 # Do not accept router advertisments
 net.ipv6.conf.all.accept_ra=0
 net.ipv6.conf.default.accept_ra=0
-