nixos/hardened: update hardened profile to new recommendations

Borrowing from here to match hardened profile with more recent kernels: * https://madaidans-insecurities.github.io/guides/linux-hardening.html?#boot-parameters * https://github.com/a13xp0p0v/kernel-hardening-checker/ Removed "slub_debug" as that option disables kernel memory address hashing. You also see a big warning about this in the dmesg: "This system shows unhashed kernel memory addresses via the console, logs, and other interfaces." "init_on_alloc=1" and "init_on_free=1" zeroes all SLAB and SLUB allocations. Introduced in 6471384af2a6530696fc0203bafe4de41a23c9ef. Also the default for the Android Google kernel btw. It is on by default through the KConfig. "slab_nomerge" prevents the merging of slab/slub caches. These are effectively slab/slub pools. "LEGACY_VSYSCALL_NONE" disables the older vsyscall mechanic that relies on static address. It got superseeded by vdsos a decade ago. Read some LWN.net to learn more ;) "debugfs=off" I'm sure there are some few userspace programs that rely on debugfs, but they shouldn't. Most other things mentioned on the blog where already the default on a running machine or may not be applicable. Most other Kconfigs changes come from the kernel hardening checker and were added, when they were not applied to the kernel already. Unsure about CONFIG_STATIC_USERMODEHELPER. Would need testing.
author: Tamara Schmitz <tamara.zoe.schmitz@posteo.de> 2023-12-20 01:38:07 +0100
committer: Tamara Schmitz <tamara.zoe.schmitz@posteo.de> 2024-01-27 20:43:58 +0000
commit: b80c3284d5d2a7282272e764e3c48bccccdbadcb (patch)
tree: 659888bc31fbf2670774b6da3737d1a677654e6b
parent: 30b34ac00788d0dce98a992b6d92779b9eb6bc19 (diff)
2 files changed, 42 insertions, 6 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 74dc2cb1b9aa4..b85a2ac7e69d2 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -39,14 +39,17 @@ with lib;
   security.apparmor.killUnconfinedConfinables = mkDefault true;
 
   boot.kernelParams = [
-    # Slab/slub sanity checks, redzoning, and poisoning
-    "slub_debug=FZP"
+    # Don't merge slabs
+    "slab_nomerge"
 
-    # Overwrite free'd memory
+    # Overwrite free'd pages
     "page_poison=1"
 
     # Enable page allocator randomization
     "page_alloc.shuffle=1"
+
+    # Disable debugfs
+    "debugfs=off"
   ];
 
   boot.blacklistedKernelModules = [
diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
index 7aa9c51173526..ea49966f46dd0 100644
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -39,21 +39,33 @@ assert (versionAtLeast version "4.9");
   DEBUG_PI_LIST         = whenOlder "5.2" yes; # doesn't BUG()
   DEBUG_PLIST           = whenAtLeast "5.2" yes;
   DEBUG_SG              = yes;
+  DEBUG_VIRTUAL         = yes;
   SCHED_STACK_END_CHECK = yes;
 
   REFCOUNT_FULL = whenOlder "5.4.208" yes;
 
+  # tell EFI to wipe memory during reset
+  # https://lwn.net/Articles/730006/
+  RESET_ATTACK_MITIGATION = yes;
+
+  # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
+  CONFIG_LDISC_AUTOLOAD = option no;
+
   # Randomize page allocator when page_alloc.shuffle=1
   SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
 
-  # Allow enabling slub/slab free poisoning with slub_debug=P
-  SLUB_DEBUG = yes;
-
   # Wipe higher-level memory allocations on free() with page_poison=1
   PAGE_POISONING           = yes;
   PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
   PAGE_POISONING_ZERO      = whenOlder "5.11" yes;
 
+  # Enable init_on_alloc and init_on_free by default
+  INIT_ON_ALLOC_DEFAULT_ON = yes;
+  INIT_ON_FREE_DEFAULT_ON  = yes;
+
+  # Wipe all caller-used registers on exit from a function
+  ZERO_CALL_USED_REGS = yes;
+
   # Enable the SafeSetId LSM
   SECURITY_SAFESETID = whenAtLeast "5.1" yes;
 
@@ -70,6 +82,16 @@ assert (versionAtLeast version "4.9");
   GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin
   GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes;
 
+  # Runtime undefined behaviour checks
+  # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html
+  # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan
+  UBSAN      = yes;
+  UBSAN_TRAP = yes;
+  UBSAN_BOUNDS = yes;
+  UBSAN_SANITIZE_ALL = yes;
+  UBSAN_LOCAL_BOUNDS = option yes; # clang only
+  CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1
+
   # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19.
   RANDSTRUCT = whenAtLeast "5.19" yes;
   RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;
@@ -97,4 +119,15 @@ assert (versionAtLeast version "4.9");
   # CONFIG_DEVMEM=n causes these to not exist anymore.
   STRICT_DEVMEM    = option no;
   IO_STRICT_DEVMEM = option no;
+
+  # stricter IOMMU TLB invalidation
+  IOMMU_DEFAULT_DMA_STRICT = option yes;
+  IOMMU_DEFAULT_DMA_LAZY = option no;
+
+  # not needed for less than a decade old glibc versions
+  LEGACY_VSYSCALL_NONE = yes;
+
+  # Straight-Line-Speculation
+  # https://lwn.net/Articles/877845/
+  SLS = option yes;
 }
author	Tamara Schmitz <tamara.zoe.schmitz@posteo.de>	2023-12-20 01:38:07 +0100
committer	Tamara Schmitz <tamara.zoe.schmitz@posteo.de>	2024-01-27 20:43:58 +0000
commit	b80c3284d5d2a7282272e764e3c48bccccdbadcb (patch)
tree	659888bc31fbf2670774b6da3737d1a677654e6b
parent	30b34ac00788d0dce98a992b6d92779b9eb6bc19 (diff)