From 215199e3d9f3dc01a6d10b8229891e6f7f1085e7 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Thu, 24 Aug 2023 21:25:55 -0700 Subject: hardening: Provide Kconfig fragments for basic options Inspired by Salvatore Mesoraca's earlier[1] efforts to provide some in-tree guidance for kernel hardening Kconfig options, add a new fragment named "hardening-basic.config" (along with some arch-specific fragments) that enable a basic set of kernel hardening options that have the least (or no) performance impact and remove a reasonable set of legacy APIs. Using this fragment is as simple as running "make hardening.config". More extreme fragments can be added[2] in the future to cover all the recognized hardening options, and more per-architecture files can be added too. For now, document the fragments directly via comments. Perhaps .rst documentation can be generated from them in the future (rather than the other way around). [1] https://lore.kernel.org/kernel-hardening/1536516257-30871-1-git-send-email-s.mesoraca16@gmail.com/ [2] https://github.com/KSPP/linux/issues/14 Cc: Salvatore Mesoraca Cc: x86@kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-doc@vger.kernel.org Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook --- arch/arm/configs/hardening.config | 7 +++++++ arch/arm64/configs/hardening.config | 22 ++++++++++++++++++++++ arch/powerpc/configs/hardening.config | 10 ++++++++++ arch/x86/configs/hardening.config | 15 +++++++++++++++ 4 files changed, 54 insertions(+) create mode 100644 arch/arm/configs/hardening.config create mode 100644 arch/arm64/configs/hardening.config create mode 100644 arch/powerpc/configs/hardening.config create mode 100644 arch/x86/configs/hardening.config (limited to 'arch') diff --git a/arch/arm/configs/hardening.config b/arch/arm/configs/hardening.config new file mode 100644 index 000000000000..327349ce6377 --- /dev/null +++ b/arch/arm/configs/hardening.config @@ -0,0 +1,7 @@ +# Basic kernel hardening options (specific to arm) + +# Make sure PXN/PAN emulation is enabled. +CONFIG_CPU_SW_DOMAIN_PAN=y + +# Dangerous; old interfaces and needless additional attack surface. +# CONFIG_OABI_COMPAT is not set diff --git a/arch/arm64/configs/hardening.config b/arch/arm64/configs/hardening.config new file mode 100644 index 000000000000..b0e795208998 --- /dev/null +++ b/arch/arm64/configs/hardening.config @@ -0,0 +1,22 @@ +# Basic kernel hardening options (specific to arm64) + +# Make sure PAN emulation is enabled. +CONFIG_ARM64_SW_TTBR0_PAN=y + +# Software Shadow Stack or PAC +CONFIG_SHADOW_CALL_STACK=y + +# Pointer authentication (ARMv8.3 and later). If hardware actually supports +# it, one can turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. +CONFIG_ARM64_PTR_AUTH=y +CONFIG_ARM64_PTR_AUTH_KERNEL=y + +# Available in ARMv8.5 and later. +CONFIG_ARM64_BTI=y +CONFIG_ARM64_BTI_KERNEL=y +CONFIG_ARM64_MTE=y +CONFIG_KASAN_HW_TAGS=y +CONFIG_ARM64_E0PD=y + +# Available in ARMv8.7 and later. +CONFIG_ARM64_EPAN=y diff --git a/arch/powerpc/configs/hardening.config b/arch/powerpc/configs/hardening.config new file mode 100644 index 000000000000..4e9bba327e8f --- /dev/null +++ b/arch/powerpc/configs/hardening.config @@ -0,0 +1,10 @@ +# PowerPC specific hardening options + +# Block kernel from unexpectedly reading userspace memory. +CONFIG_PPC_KUAP=y + +# Attack surface reduction. +# CONFIG_SCOM_DEBUGFS is not set + +# Disable internal kernel debugger. +# CONFIG_XMON is not set diff --git a/arch/x86/configs/hardening.config b/arch/x86/configs/hardening.config new file mode 100644 index 000000000000..19bb0c7a7669 --- /dev/null +++ b/arch/x86/configs/hardening.config @@ -0,0 +1,15 @@ +# Basic kernel hardening options (specific to x86) + +# Modern libc no longer needs a fixed-position mapping in userspace, remove +# it as a possible target. +CONFIG_LEGACY_VSYSCALL_NONE=y + +# Enable chip-specific IOMMU support. +CONFIG_INTEL_IOMMU=y +CONFIG_INTEL_IOMMU_DEFAULT_ON=y +CONFIG_INTEL_IOMMU_SVM=y +CONFIG_AMD_IOMMU=y +CONFIG_AMD_IOMMU_V2=y + +# Enable CET Shadow Stack for userspace. +CONFIG_X86_USER_SHADOW_STACK=y -- cgit v1.2.3 From e0bbf92682ad1df36ef43104a036469ac0ab3a4a Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Mon, 11 Sep 2023 17:52:44 +0000 Subject: um,ethertap: Replace deprecated strncpy() with strscpy() `strncpy` is deprecated for use on NUL-terminated destination strings [1]. `gate_buf` should always be NUL-terminated and does not require NUL-padding. It is used as a string arg inside an argv array given to `run_helper()`. Due to this, let's use `strscpy` as it guarantees NUL-terminated on the destination buffer preventing potential buffer overreads [2]. This exact invocation was changed from `strcpy` to `strncpy` in commit 7879b1d94badb ("um,ethertap: use strncpy") back in 2015. Let's continue hardening our `str*cpy` apis and use the newer and safer `strscpy`! Link: www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings[1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Cc: Kees Cook Signed-off-by: Justin Stitt Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20230911-strncpy-arch-um-os-linux-drivers-ethertap_user-c-v1-1-d9e53f52ab32@google.com Signed-off-by: Kees Cook --- arch/um/os-Linux/drivers/ethertap_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'arch') diff --git a/arch/um/os-Linux/drivers/ethertap_user.c b/arch/um/os-Linux/drivers/ethertap_user.c index 9483021d86dd..3363851a4ae8 100644 --- a/arch/um/os-Linux/drivers/ethertap_user.c +++ b/arch/um/os-Linux/drivers/ethertap_user.c @@ -105,7 +105,7 @@ static int etap_tramp(char *dev, char *gate, int control_me, sprintf(data_fd_buf, "%d", data_remote); sprintf(version_buf, "%d", UML_NET_VERSION); if (gate != NULL) { - strncpy(gate_buf, gate, 15); + strscpy(gate_buf, gate, sizeof(gate_buf)); args = setup_args; } else args = nosetup_args; -- cgit v1.2.3 From cfa36f889f232eb32e15b4ea6a688a5c5a9d19e9 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 22 Sep 2023 10:52:00 -0700 Subject: sparc: Annotate struct cpuinfo_tree with __counted_by Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct cpuinfo_tree. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: "David S. Miller" Cc: sparclinux@vger.kernel.org Reviewed-by: "Gustavo A. R. Silva" Link: https://lore.kernel.org/r/20230922175159.work.357-kees@kernel.org Signed-off-by: Kees Cook --- arch/sparc/kernel/cpumap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'arch') diff --git a/arch/sparc/kernel/cpumap.c b/arch/sparc/kernel/cpumap.c index f07ea88a83af..8fcf2d8c6bd2 100644 --- a/arch/sparc/kernel/cpumap.c +++ b/arch/sparc/kernel/cpumap.c @@ -50,7 +50,7 @@ struct cpuinfo_tree { /* Offsets into nodes[] for each level of the tree */ struct cpuinfo_level level[CPUINFO_LVL_MAX]; - struct cpuinfo_node nodes[]; + struct cpuinfo_node nodes[] __counted_by(total_nodes); }; -- cgit v1.2.3 From faed498d0db78adc1eee6bab3a8480bcb7e17e6e Mon Sep 17 00:00:00 2001 From: Lukas Bulwahn Date: Thu, 12 Oct 2023 06:50:40 +0200 Subject: hardening: x86: drop reference to removed config AMD_IOMMU_V2 Commit 5a0b11a180a9 ("iommu/amd: Remove iommu_v2 module") removes the config AMD_IOMMU_V2. Remove the reference to this config in the x86 architecture-specific hardening config fragment as well. Signed-off-by: Lukas Bulwahn Reviewed-by: Vasant Hegde Link: https://lore.kernel.org/r/20231012045040.22088-1-lukas.bulwahn@gmail.com Signed-off-by: Kees Cook --- arch/x86/configs/hardening.config | 1 - 1 file changed, 1 deletion(-) (limited to 'arch') diff --git a/arch/x86/configs/hardening.config b/arch/x86/configs/hardening.config index 19bb0c7a7669..7b497f3b7bc3 100644 --- a/arch/x86/configs/hardening.config +++ b/arch/x86/configs/hardening.config @@ -9,7 +9,6 @@ CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_AMD_IOMMU=y -CONFIG_AMD_IOMMU_V2=y # Enable CET Shadow Stack for userspace. CONFIG_X86_USER_SHADOW_STACK=y -- cgit v1.2.3