Skip to content

Commit

Permalink
hardening: kernel config modularization
Browse files Browse the repository at this point in the history
* Created separate Kconfig file to enable virtualization,
  networking, usb, user input devices, debug, guest and guest
  graphics support on top of hardened baseline kernel config.
* Using kernel merge_config.sh to merge kconfig fragments.
* Introduces a top-level option to enable
  host hardening for targets and moves the subarea
  options under it. This allows development to enable
  working and sensible defaults without cluttering
  the targets (and users) with the details of the
  host hardening. Nix does not have module interface
  protection mechanisms (e.g. protected/private) so
  these options can still be used from the targets
  should the users wish to do so.
* "allowImportFromDerivation = false" removed as it's
  the default value. Allow (true) made the nix flake
  show fail earlier but allowed bypassing NixOS asserted
  kernel config options from the baseline config instead
  of inline.
* Added host, guest and pkvm modules to cover tests
  - hardened host kernel building and code patching with
    host-options.
  - hardened lenovo X1 guest kernel building and code
    patching with guest-options
  - hardened host pkvm kernel building and code patching
    with pkvm options
* Refactor pkvm kernel builder
* Updated documentation.

Co-authored-by: Ville Ilvonen <[email protected]>

Signed-off-by: Ville Ilvonen <[email protected]>
Signed-off-by: Vunny Sodhi <[email protected]>
  • Loading branch information
vunnyso authored and brianmcgillion committed Feb 27, 2024
1 parent 811d411 commit 9f195aa
Show file tree
Hide file tree
Showing 28 changed files with 535 additions and 376 deletions.
2 changes: 1 addition & 1 deletion .reuse/dep5
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,5 @@ Copyright: 2022-2024 Technology Innovation Institute (TII) <https://github.com/t
License: Apache-2.0
Files:
*.lock *.png *.svg *.patch *.db *.key *.pem *.cer *.p12
modules/host/ghaf_host_hardened_baseline-x86
modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86
modules/host/ghaf_host_hardened_baseline-jetson-orin
66 changes: 57 additions & 9 deletions docs/src/architecture/hardening.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,36 +25,42 @@ NixOS provides several mechanisms to customize the kernel. The main methods are:
```
~/ghaf $ nix develop .#devShells.x86_64-linux.kernel-x86
...
[ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ cp ../modules/host/ghaf_host_hardened_baseline .config
[ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ make menuconfig
[ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
[ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make menuconfig
...
[ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ make -j$(nproc)
[ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make -j$(nproc)
...
Kernel: arch/x86/boot/bzImage
```

* Booting the built kernel with QEMU:

```
[ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ qemu-system-x86_64 -kernel arch/x86/boot/bzImage
[ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ qemu-system-x86_64 -kernel arch/x86/boot/bzImage
```

* [Validating with kernel hardening checker](https://github.com/a13xp0p0v/kernel-hardening-checker):

```
[ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ kernel-hardening-checker -c ../modules/host/ghaf_host_hardened_baseline
[+] Kconfig file to check: ../modules/host/ghaf_host_hardened_baseline
[ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config
[ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ HS=../modules/hardware/x86_64-generic/kernel/host/configs GS=../modules/hardware/x86_64-generic/kernel/guest/configs
[ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ ./scripts/kconfig/merge_config.sh .config $HS/virtualization.config $HS/networking.config $HS/usb.config $HS/user-input-devices.config $HS/debug.config $GS/guest.config $GS/display-gpu.config
[ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ kernel-hardening-checker -c .config
[+] Kconfig file to check: .config
[+] Detected microarchitecture: X86_64
[+] Detected kernel version: 6.6
[+] Detected compiler: GCC 120300
...
[+] Config check is finished: 'OK' - 188 / 'FAIL' - 5
[ghaf-kernel-devshell:~/ghaf/linux-6.6.5]$ kernel-hardening-checker -c ../modules/host/ghaf_host_hardened_baseline|grep 'FAIL: '
[+] Config check is finished: 'OK' - 188 / 'FAIL' - 8
[ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ kernel-hardening-checker -c .config| grep 'FAIL: '
CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: is not found
CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG is not "y"
CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: "is not set"
```


Expand All @@ -65,6 +71,48 @@ The host kernel runs on bare metal. The kernel is provided either with Linux ups

#### `x86-64-linux`

The host kernel hardening is based on Linux `make tinyconfig`. The default `tinyconfig` fails to assertions on NixOS without modifications. Assertions are fixed in `ghaf_host_hardened_baseline` Linux configuration under Ghaf `modules/host/`.
The host kernel hardening is based on Linux `make tinyconfig`. The
default `tinyconfig` fails to assertions on NixOS without
modifications. Assertions are fixed in the `ghaf_host_hardened_baseline` Linux configuration under Ghaf
`modules/hardware/x86_64-generic/kernel/configs`. Resulting baseline
kernel configuration is generic for x86_64 hardware architecture devices.

In addition, NixOS (Ghaf baseline dependency) requires several kernel modules that are added to the config or ignored with `allowMissing = true`. As of now, the kernel builds and early boots on Lenovo X1.

### Virtualization Support

The host Virtualization support will add the required kernel config dependency to the Ghaf baseline by which NixOS has virtualization enabled. It can be enabled with the following flag `ghaf.host.kernel_virtualization_hardening.enable` for Lenovo X1.

### Networking Support

The host Networking support will add the required kernel config dependency to the Ghaf baseline by which NixOS has networking enabled, It can be enabled with the following flag `ghaf.host.kernel_networking_hardening.enable` for Lenovo X1.

### USB Support

USB support on host is for the `-debug-profile` builds, not for hardened host -release-builds. As of now, USB support needs to be enabled when debug support to host via USB ethernet adapter (Lenovo X1) is needed or when the user want to boot Ghaf using an external SSD. It is optional in case Ghaf is used with internal NVME.

It can be enabled with the following flag `ghaf.host.kernel_usb_hardening.enable` for Lenovo X1.

### User Input Devices Support

The User Input Devices support will add the required kernel config dependency to the Ghaf baseline by which NixOS has user input devices enabled. It can be enabled with the following flag `ghaf.host.kernel_inputdevices_hardening.enable` for Lenovo X1.

To enable GUI, set Virtualization, Networking and User Input Devices support. As of now, the kernel builds and can boot on Lenovo X1.

### Debug Support

The Debug support on host is for the `-debug-profile` builds, not for hardened host -release-builds. It can be helpful when debugging functionality is needed in a development environment.

It can be enabled with the following flag `ghaf.host.kernel.debug_hardening.enable` for Lenovo X1.

### Guest Support

The Guest support will add the required kernel config dependency to the Ghaf baseline by which NixOS has guest enabled. The added functionality is vsock for host-to-guest and guest-to-guest communication.

It can be enabled with the following flag `guest.hardening.enable` for Lenovo X1.

### Guest Graphics Support

The Guest Graphics support will add the required kernel config dependency to the Ghaf baseline by which NixOS has guest graphics enabled. The added functionality is for guest with graphics support enabled.

It can be enabled with the following flag `guest.graphics_hardening.enable` for Lenovo X1.
6 changes: 6 additions & 0 deletions modules/hardware/lenovo-x1/kernel/guest/test/default.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
# SPDX-License-Identifier: Apache-2.0
{pkgs, ...}: let
config = pkgs.nixos [./test-configuration.nix];
in
config.config.system.build.toplevel
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
# SPDX-License-Identifier: Apache-2.0
{
config,
lib,
...
}: {
imports = [
../../../../x86_64-generic/kernel/host/default.nix
../../../../x86_64-generic/kernel/guest/default.nix
];

# baseline, virtualization and network hardening are
# generic to all x86_64 devices
config.ghaf.host.kernel.hardening.enable = true;
config.ghaf.host.kernel.hardening.virtualization.enable = true;
config.ghaf.host.kernel.hardening.networking.enable = true;
config.ghaf.host.kernel.hardening.inputdevices.enable = true;
# usb/debug hardening is host optional but required for -debug builds
config.ghaf.host.kernel.hardening.usb.enable = true;
config.ghaf.host.kernel.hardening.debug.enable = true;

# guest VM kernel specific options
config.ghaf.guest.kernel.hardening.enable = true;
config.ghaf.guest.kernel.hardening.graphics.enable = true;

# required to module test a module via top level configuration
config.boot.loader.systemd-boot.enable = true;
config.fileSystems."/" = {
device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000";
fsType = "ext4";
};
config.system.stateVersion = lib.trivial.release;
}
Loading

0 comments on commit 9f195aa

Please sign in to comment.