Mailing List Archive

Hardening a Kernel post hardened-sources
Hi,

I still have hardened-sources running on one PC and I keep trying to
compile a replacement gentoo-sources with as much hardening as I can,
but I haven't found anything to help me that actually works. There are
some guides on the Internet but most of the them are quite old (still
grsecurity) and some of them are really old (Kernel 2.2, for example).

I found the KSPP website and built a kernel using their suggested
"paranoid" settings. It worked for a brief moment but then I think I
upgraded gcc to 6.4 and it just panicked during boot causing a lot of
pain to reverse out of.

Does anyone know of a good, post GRSecurity guide to reasonable security
for the kernel? In the absence of anything else I will have to go back
to the KSPP list and start removing stuff until I can get a stable kernel.

Thanks in advance,

Robert Sharp
Re: Hardening a Kernel post hardened-sources [ In reply to ]
Hi!

On Wed, Mar 28, 2018 at 06:06:00PM +0100, Robert Sharp wrote:
> Does anyone know of a good, post GRSecurity guide to reasonable security
> for the kernel? In the absence of anything else I will have to go back
> to the KSPP list and start removing stuff until I can get a stable kernel.

I'm using https://github.com/minipli/linux-unofficial_grsec, but it lacks
Spectre and Meltdown mitigation at the moment (see issues). Still, I
believe it's the best we can have now (better is probably paid GrSec, but
AFAIK it's impossible or too costly to buy it for home or small business).

--
WBR, Alex.
Re: Hardening a Kernel post hardened-sources [ In reply to ]
On Wed, Mar 28, 2018 at 12:40 PM, Alex Efros <powerman@powerman.name> wrote:
> Hi!
>
> On Wed, Mar 28, 2018 at 06:06:00PM +0100, Robert Sharp wrote:
>> Does anyone know of a good, post GRSecurity guide to reasonable security
>> for the kernel? In the absence of anything else I will have to go back
>> to the KSPP list and start removing stuff until I can get a stable kernel.
>
> I'm using https://github.com/minipli/linux-unofficial_grsec, but it lacks
> Spectre and Meltdown mitigation at the moment (see issues). Still, I
> believe it's the best we can have now (better is probably paid GrSec, but
> AFAIK it's impossible or too costly to buy it for home or small business).
>

Previous contributors have access to the code, but it doesn't seem
like there is any way to go that route anymore.
Re: Hardening a Kernel post hardened-sources [ In reply to ]
Hi all,

I’ve been a grsecurity customer for a little over two years now, and my use of it is as a small business, on Gentoo server installations. While I can’t disclose the amount of money I’m paying publicly because every deal is customized, I would encourage you to get in touch using the contact form on grsecurity.net and ask for a quote if you haven’t already.

You might just end up with an arrangement you can afford, and grsec is still certainly worth having today. Not only for the feature set, but also for the constant looking over the mainline Linux kernel code, including fixing and backporting more fixes than the regular kernel stable releases, and for knowledge / emails giving context to important kernel vulnerabilities when they occur.


Best,

– Guillaume Ceccarelli

>> On 28 Mar 2018, at 20:22, R0b0t1 <r030t1@gmail.com> wrote:
>>
>> On Wed, Mar 28, 2018 at 12:40 PM, Alex Efros <powerman@powerman.name> wrote:
>> Hi!
>>
>>> On Wed, Mar 28, 2018 at 06:06:00PM +0100, Robert Sharp wrote:
>>> Does anyone know of a good, post GRSecurity guide to reasonable security
>>> for the kernel? In the absence of anything else I will have to go back
>>> to the KSPP list and start removing stuff until I can get a stable kernel.
>>
>> I'm using https://github.com/minipli/linux-unofficial_grsec, but it lacks
>> Spectre and Meltdown mitigation at the moment (see issues). Still, I
>> believe it's the best we can have now (better is probably paid GrSec, but
>> AFAIK it's impossible or too costly to buy it for home or small business).
>
> Previous contributors have access to the code, but it doesn't seem
> like there is any way to go that route anymore.
>
Re: Hardening a Kernel post hardened-sources [ In reply to ]
I requested a quote from GRsecurity and they told me that although they
are looking at providing a package for personal customers they don't
have one at the moment. They recommended minipli as the next best thing...

What about the grsecurity-source overlay?

On 29/03/18 11:47, Guillaume Ceccarelli wrote:
> Hi all,
>
> I’ve been a grsecurity customer for a little over two years now, and
> my use of it is as a small business, on Gentoo server installations.
> While I can’t disclose the amount of money I’m paying publicly because
> every deal is customized, I would encourage you to get in touch using
> the contact form on grsecurity.net <http://grsecurity.net/> and ask
> for a quote if you haven’t already.
>
> You might just end up with an arrangement you can afford, and grsec is
> still certainly worth having today. Not only for the feature set, but
> also for the constant looking over the mainline Linux kernel code,
> including fixing and backporting more fixes than the regular kernel
> stable releases, and for knowledge / emails giving context to
> important kernel vulnerabilities when they occur.
>
>
> Best,
>
> – Guillaume Ceccarelli
>
> On 28 Mar 2018, at 20:22, R0b0t1 <r030t1@gmail.com
> <mailto:r030t1@gmail.com>> wrote:
>
>> On Wed, Mar 28, 2018 at 12:40 PM, Alex Efros <powerman@powerman.name
>> <mailto:powerman@powerman.name>> wrote:
>>> Hi!
>>>
>>> On Wed, Mar 28, 2018 at 06:06:00PM +0100, Robert Sharp wrote:
>>>> Does anyone know of a good, post GRSecurity guide to reasonable
>>>> security
>>>> for the kernel? In the absence of anything else I will have to go back
>>>> to the KSPP list and start removing stuff until I can get a stable
>>>> kernel.
>>>
>>> I'm using https://github.com/minipli/linux-unofficial_grsec, but it
>>> lacks
>>> Spectre and Meltdown mitigation at the moment (see issues). Still, I
>>> believe it's the best we can have now (better is probably paid
>>> GrSec, but
>>> AFAIK it's impossible or too costly to buy it for home or small
>>> business).
>>>
>>
>> Previous contributors have access to the code, but it doesn't seem
>> like there is any way to go that route anymore.
>>
Re: Hardening a Kernel post hardened-sources [ In reply to ]
I see… I’m sorry to hear that.

The grsecurity-sources overlay seems to be tracking minipli’s unofficial port. So that’s what you already got as a recommendation, with the convenience of ebuilds to match.

It looks like the latest release from minipli’s is based off of Linux 4.9.74 (early January ; the last one before Spectre / Meltdown mitigations got merged into upstream kernels), with the latest upstream version today being 4.9.91. So minipli’s kernel is starting to be quite a bit behind upstream too. He did mention that it would take him a significant amount of time to forward port with KAISER / KPTI. So he might just be working on it, still.

Minipli’s kernel might still be your best option after all, but I haven’t reviewed the patches that made it to upstream between 4.9.74 and 4.9.91 so I’m not sure what you’d be missing out on at the moment by choosing to go with it.


Best,

– Guillaume Ceccarelli

> On Mar 30, 2018, at 17:37, Robert Sharp <selinux@sharp.homelinux.org> wrote:
>
> I requested a quote from GRsecurity and they told me that although they are looking at providing a package for personal customers they don't have one at the moment. They recommended minipli as the next best thing...
>
> What about the grsecurity-source overlay?
>
> On 29/03/18 11:47, Guillaume Ceccarelli wrote:
>> Hi all,
>>
>> I’ve been a grsecurity customer for a little over two years now, and my use of it is as a small business, on Gentoo server installations. While I can’t disclose the amount of money I’m paying publicly because every deal is customized, I would encourage you to get in touch using the contact form on grsecurity.net <http://grsecurity.net/> and ask for a quote if you haven’t already.
>>
>> You might just end up with an arrangement you can afford, and grsec is still certainly worth having today. Not only for the feature set, but also for the constant looking over the mainline Linux kernel code, including fixing and backporting more fixes than the regular kernel stable releases, and for knowledge / emails giving context to important kernel vulnerabilities when they occur.
>>
>>
>> Best,
>>
>> – Guillaume Ceccarelli
>>
>> On 28 Mar 2018, at 20:22, R0b0t1 <r030t1@gmail.com <mailto:r030t1@gmail.com>> wrote:
>>
>>> On Wed, Mar 28, 2018 at 12:40 PM, Alex Efros <powerman@powerman.name <mailto:powerman@powerman.name>> wrote:
>>>> Hi!
>>>>
>>>> On Wed, Mar 28, 2018 at 06:06:00PM +0100, Robert Sharp wrote:
>>>>> Does anyone know of a good, post GRSecurity guide to reasonable security
>>>>> for the kernel? In the absence of anything else I will have to go back
>>>>> to the KSPP list and start removing stuff until I can get a stable kernel.
>>>>
>>>> I'm using https://github.com/minipli/linux-unofficial_grsec <https://github.com/minipli/linux-unofficial_grsec>, but it lacks
>>>> Spectre and Meltdown mitigation at the moment (see issues). Still, I
>>>> believe it's the best we can have now (better is probably paid GrSec, but
>>>> AFAIK it's impossible or too costly to buy it for home or small business).
>>>>
>>>
>>> Previous contributors have access to the code, but it doesn't seem
>>> like there is any way to go that route anymore.
>>>
>
Re: Hardening a Kernel post hardened-sources [ In reply to ]
On Fri, Mar 30, 2018 at 10:37 AM, Robert Sharp
<selinux@sharp.homelinux.org> wrote:
> I requested a quote from GRsecurity and they told me that although they are
> looking at providing a package for personal customers they don't have one at
> the moment. They recommended minipli as the next best thing...
>

Is there any way for you to try again while presenting yourself as a
business? In some jurisdictions saying you are a business is all it
takes to start a sole proprietorship. Otherwise, just pretend you are
affiliated with a (legally fictional) business.

It is necessary that I present myself as working on behalf of business
when requesting quotes for electronic components, etc., for personal
projects. They have a tendency to not care otherwise. A past employer
lets me use their email for this reason.

Perhaps Mr. Ceccarelli can indicate the size of his employer before I
try to contact them myself?

Cheers,
R0b0t1

> What about the grsecurity-source overlay?
>
>
> On 29/03/18 11:47, Guillaume Ceccarelli wrote:
>
> Hi all,
>
> I’ve been a grsecurity customer for a little over two years now, and my use
> of it is as a small business, on Gentoo server installations. While I can’t
> disclose the amount of money I’m paying publicly because every deal is
> customized, I would encourage you to get in touch using the contact form on
> grsecurity.net and ask for a quote if you haven’t already.
>
> You might just end up with an arrangement you can afford, and grsec is still
> certainly worth having today. Not only for the feature set, but also for the
> constant looking over the mainline Linux kernel code, including fixing and
> backporting more fixes than the regular kernel stable releases, and for
> knowledge / emails giving context to important kernel vulnerabilities when
> they occur.
>
>
> Best,
>
> – Guillaume Ceccarelli
>
> On 28 Mar 2018, at 20:22, R0b0t1 <r030t1@gmail.com> wrote:
>
> On Wed, Mar 28, 2018 at 12:40 PM, Alex Efros <powerman@powerman.name> wrote:
>
> Hi!
>
>
> On Wed, Mar 28, 2018 at 06:06:00PM +0100, Robert Sharp wrote:
>
> Does anyone know of a good, post GRSecurity guide to reasonable security
>
> for the kernel? In the absence of anything else I will have to go back
>
> to the KSPP list and start removing stuff until I can get a stable kernel.
>
>
> I'm using https://github.com/minipli/linux-unofficial_grsec, but it lacks
>
> Spectre and Meltdown mitigation at the moment (see issues). Still, I
>
> believe it's the best we can have now (better is probably paid GrSec, but
>
> AFAIK it's impossible or too costly to buy it for home or small business).
>
>
>
> Previous contributors have access to the code, but it doesn't seem
> like there is any way to go that route anymore.
>
>
Re: Hardening a Kernel post hardened-sources [ In reply to ]
On 30/03/18 17:55, R0b0t1 wrote:
> Is there any way for you to try again while presenting yourself as a
> business? In some jurisdictions saying you are a business is all it
> takes to start a sole proprietorship. Otherwise, just pretend you are
> affiliated with a (legally fictional) business.

Its more than possible: I have a business, email addresses, registered
at Company's House the lot. I guess there is nothing to lose but I think
it likely the price is more than I could justify. I will have another go
over the holiday weekend.

I am leaning towards having another go at the KSPP approach and being a
little more cautious about what I include. I don't like the idea of
being stuck on an older kernel version waiting for someone to find time
to catch up and I can probably apply the same approach to all my PC's
and not just the outward facing ones.

Best

Robert