SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
menuconfig RUNTIME_TESTING_MENU
bool "Runtime Testing"
def_bool y
<<snip>>
config STACKINIT_KUNIT_TEST
tristate "Test level of stack variable initialization" if !KUNIT_ALL_TESTS
depends on KUNIT
default KUNIT_ALL_TESTS
help
Test if the kernel is zero-initializing stack variables and
padding. Coverage is controlled by compiler flags,
CONFIG_INIT_STACK_ALL_PATTERN, CONFIG_INIT_STACK_ALL_ZERO,
CONFIG_GCC_PLUGIN_STRUCTLEAK, CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF,
or CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL.
This is from ./arch/Kconfig
Code:
menu "General architecture-dependent options"
<<snip>>
config RANDOMIZE_KSTACK_OFFSET
bool "Support for randomizing kernel stack offset on syscall entry" if EXPERT
default y
depends on HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
depends on INIT_STACK_NONE || !CC_IS_CLANG || CLANG_VERSION >= 140000
help
The kernel stack offset can be randomized (after pt_regs) by
roughly 5 bits of entropy, frustrating memory corruption
attacks that depend on stack address determinism or
cross-syscall address exposures.
The feature is controlled via the "randomize_kstack_offset=on/off"
kernel boot param, and if turned off has zero overhead due to its use
of static branches (see JUMP_LABEL).
If unsure, say Y.
This is from ./drivers/acpi/Kconfig
Code:
menuconfig ACPI
<<snip>>
config ACPI_EC_DEBUGFS
tristate "EC read/write access through /sys/kernel/debug/ec"
help
Say N to disable Embedded Controller /sys/kernel/debug interface
Be aware that using this interface can confuse your Embedded
Controller in a way that a normal reboot is not enough. You then
have to power off your system, and remove the laptop battery for
some seconds.
An Embedded Controller typically is available on laptops and reads
sensor values like battery state and temperature.
The kernel accesses the EC through ACPI parsed code provided by BIOS
tables. This option allows to access the EC directly without ACPI
code being involved.
Thus this option is a debug option that helps to write ACPI drivers
and can be used to identify ACPI code or EC firmware bugs.
From security/Kconfig.hardening:
Code:
menu "Memory initialization"
<<snip>>
config CC_HAS_AUTO_VAR_INIT_PATTERN
def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
config CC_HAS_AUTO_VAR_INIT_ZERO_BARE
def_bool $(cc-option,-ftrivial-auto-var-init=zero)
config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
# Clang 16 and later warn about using the -enable flag, but it
# is required before then.
def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing
-it-will-be-removed-from-clang)
depends on !CC_HAS_AUTO_VAR_INIT_ZERO_BARE
config CC_HAS_AUTO_VAR_INIT_ZERO
def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
choice
prompt "Initialize kernel stack variables at function entry"
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO
default INIT_STACK_NONE
help
This option enables initialization of stack variables at
function entry time. This has the possibility to have the
greatest coverage (since all functions can have their
variables initialized), but the performance impact depends
on the function calling complexity of a given workload's
syscalls.
This chooses the level of coverage over classes of potentially
uninitialized variables. The selected class of variable will be
initialized before use in a function.
config INIT_STACK_NONE
bool "no automatic stack variable initialization (weakest)"
help
Disable automatic stack variable initialization.
This leaves the kernel vulnerable to the standard
classes of uninitialized stack variable exploits
and information exposures.
<<snip>>
config INIT_STACK_ALL_ZERO
bool "zero-init everything (strongest and safest)"
depends on CC_HAS_AUTO_VAR_INIT_ZERO
depends on !KMSAN
help
Initializes everything on the stack (including padding)
with a zero value. This is intended to eliminate all
classes of uninitialized stack variable exploits and
information exposures, even variables that were warned
about having been left uninitialized.
Zero initialization provides safe defaults for strings
(immediately NUL-terminated), pointers (NULL), indices
(index 0), and sizes (0 length), so it is therefore more
suitable as a production security mitigation than pattern
initialization.
endchoice
Last edited by kjhambrick; 02-23-2023 at 05:54 AM.
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,152
Original Poster
Rep:
Year 2023, Round 12.
Another batch of updates has been scheduled for release on Saturday, 25 February 2023, at approximately 13:00, GMT. If no problems are found while testing the release candidates, they might be available sometime on Friday (depending on your time zone).
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 1,011
Rep:
Hardening options in 6.1.13
Code:
============================================================================================
option name | desired val | decision | reason |
============================================================================================
CONFIG_BUG | y |defconfig | self_protection |
CONFIG_SLUB_DEBUG | y |defconfig | self_protection |
CONFIG_GCC_PLUGINS | y |defconfig | self_protection |
CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection |
CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection |
CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection |
CONFIG_REFCOUNT_FULL | y |defconfig | self_protection |
CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection |
CONFIG_MICROCODE | y |defconfig | self_protection |
CONFIG_RETPOLINE | y |defconfig | self_protection |
CONFIG_X86_SMAP | y |defconfig | self_protection |
CONFIG_SYN_COOKIES | y |defconfig | self_protection |
CONFIG_X86_UMIP | y |defconfig | self_protection |
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection |
CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection |
CONFIG_INTEL_IOMMU | y |defconfig | self_protection |
CONFIG_AMD_IOMMU | y |defconfig | self_protection |
CONFIG_VMAP_STACK | y |defconfig | self_protection |
CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection |
CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection |
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection |
CONFIG_DEBUG_WX | y | kspp | self_protection |
CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection |
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection |
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection |
CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection |
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection |
CONFIG_DEBUG_LIST | y | kspp | self_protection |
CONFIG_DEBUG_SG | y | kspp | self_protection |
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection |
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection |
CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection |
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection |
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection |
CONFIG_HARDENED_USERCOPY | y | kspp | self_protection |
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection |
CONFIG_MODULE_SIG | y | kspp | self_protection |
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection |
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection |
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection |
CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection |
CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection |
CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection |
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection |
CONFIG_SECURITY_DMESG_RESTRICT | y | clipos | self_protection |
CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection |
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection |
CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection |
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection |
CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection |
CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection |
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection |
CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection |
CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection |
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection |
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection |
CONFIG_UBSAN_BOUNDS | y | my | self_protection |
CONFIG_SLUB_DEBUG_ON | y | my | self_protection |
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection |
CONFIG_AMD_IOMMU_V2 | y | my | self_protection |
CONFIG_SECURITY | y |defconfig | security_policy |
CONFIG_SECURITY_YAMA | y | kspp | security_policy |
CONFIG_SECURITY_WRITABLE_HOOKS | is not set | my | security_policy |
CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy |
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy |
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy |
CONFIG_SECURITY_SAFESETID | y | my | security_policy |
CONFIG_SECURITY_LOADPIN | y | my | security_policy |
CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy |
CONFIG_SECCOMP | y |defconfig | cut_attack_surface |
CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface |
CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface |
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface |
CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface |
CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface |
CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface |
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface |
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface |
CONFIG_KEXEC | is not set | kspp | cut_attack_surface |
CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface |
CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface |
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface |
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface |
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface |
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface |
CONFIG_OABI_COMPAT | is not set | kspp | cut_attack_surface |
CONFIG_MODULES | is not set | kspp | cut_attack_surface |
CONFIG_DEVMEM | is not set | kspp | cut_attack_surface |
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface |
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface |
CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface |
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface |
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface |
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface |
CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface |
CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface |
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface |
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface |
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface |
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface |
CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface |
CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface |
CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface |
CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface |
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface |
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface |
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface |
CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface |
CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface |
CONFIG_FB | is not set |maintainer| cut_attack_surface |
CONFIG_VT | is not set |maintainer| cut_attack_surface |
CONFIG_AIO | is not set |grapheneos| cut_attack_surface |
CONFIG_STAGING | is not set | clipos | cut_attack_surface |
CONFIG_KSM | is not set | clipos | cut_attack_surface |
CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface |
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface |
CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface |
CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface |
CONFIG_USER_NS | is not set | clipos | cut_attack_surface |
CONFIG_X86_MSR | is not set | clipos | cut_attack_surface |
CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface |
CONFIG_IO_URING | is not set | clipos | cut_attack_surface |
CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface |
CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface |
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface |
CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface |
CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_attack_surface |
CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface |
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface |
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface |
CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface |
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface |
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface |
CONFIG_IP_DCCP | is not set | my | cut_attack_surface |
CONFIG_IP_SCTP | is not set | my | cut_attack_surface |
CONFIG_FTRACE | is not set | my | cut_attack_surface |
CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface |
CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface |
CONFIG_INTEGRITY | y |defconfig |userspace_hardening |
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening |
Some of this options aren't practical (e.g. UBSAN, MODULE_SIG_FORCE, HIBERNATION, TRIM_UNUSED_KSYMS) but the rest can be tested by individual user
it's in french, but it's self explaining concerning the different options. The english version hasn't been updated since 2019 and doesn't take into account the hardening of kernel configuration.
it's in french, but it's self explaining concerning the different options. The english version hasn't been updated since 2019 and doesn't take into account the hardening of kernel configuration.
The ANSSI is the french authority which help french "sensitive" corporations in the cybersecurity field.
Thank you, my French is a bit rusty but this is a good excuse to refresh old skills.
Note (forgot to add): aside from the list above, my kernel is additionally patched to add some extra hardening options, and all not used kernel options disabled. No server is running except X, in fact most servers are removed. Firewall is up, personal stuff on encrypted partition decrypted as needed and encrypted again after use.
Connections through ssl tunnel (works everywhere).
Obviously this is a compromise between security and convenience:I could get rid of hibernation, disable bluetooth, encrypt swap but with all probability these settings are more than enough. If someone gets his hands on my laptop then game's over. For anything else this is enough (I think).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.