Official NixOS Wiki

NixOS Hardening: Difference between revisions

← Older edit
Golbinex (talk | contribs)
25 edits
VisualWikitext
Golbinex (talk | contribs)
25 edits
No edit summary
Golbinex (talk | contribs)
25 edits
linux-hardened: Update to 6.18
 
(10 intermediate revisions by 5 users not shown)
Line 1: Line 1:
== Kernel ==
=== linux-hardened ===
=== linux-hardened ===
[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied.<syntaxhighlight lang="nix">
[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied. You can build it from source, but you have to keep the kernel up to date for receiving security patches. You can check for latest releases [https://github.com/anthraxx/linux-hardened/releases here].
boot.kernelPackages = pkgs.linuxKernel.packages.linux_hardened;
 
</syntaxhighlight>To get the latest updates and security patches as soon as possible, you might want to build the kernel right after new [https://github.com/anthraxx/linux-hardened/releases release].<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
boot.kernelPackages = let
boot.kernelPackages = let
    linux_hardened_pkg = { fetchFromGitHub, buildLinux, linux_6_12_hardened, ... } @ args:
  linux_hardened_pkg = { fetchFromGitHub, buildLinux, lib, ... } @ args:


        buildLinux (args // rec {
      buildLinux (args // rec {
          version = "6.12.77-hardened1";
        version = "6.18.33-hardened1";
           modDirVersion = version;
           hash = "sha256-SlsOQjREc73E+90FiR+zrNELtUY9yZAT34vBr4Dt7h4=";
          extraMeta.branch = "6.12";
        extraMeta.branch = "6.18";


          src = fetchFromGitHub {
        modDirVersion = version;
            owner = "anthraxx";
        src = fetchFromGitHub {
            repo = "linux-hardened";
          inherit hash;
            tag = "v${version}";
          owner = "anthraxx";
            hash = "sha256-txcatuTkp0gmJ4vHp//Ju4/j9d2RiVU8UuE7zUXnixw=";
          repo = "linux-hardened";
          };
          tag = "v${version}";
          # Patches are already applied in the source tarball
        };
          kernelPatches = [];
        kernelPatches = [];


           structuredExtraConfig = linux_6_12_hardened.structuredExtraConfig;
        structuredExtraConfig = with lib.kernel; {
           # If using different kernel version than the one used in nixpkgs, you might have to remove some unsupported parameters.
           # Perform additional validation of commonly targeted structures.
           structuredExtraConfig = lib.removeAttrs linux_6_12_hardened.structuredExtraConfig [ "GCC_PLUGIN_STACKLEAK" ];
          DEBUG_NOTIFIERS = yes;
         } // (args.argsOverride or {}));
          DEBUG_PLIST = yes;
      linux_hardened = pkgs.callPackage linux_hardened_pkg{};
          DEBUG_SG = yes;
    in
          DEBUG_VIRTUAL = yes;
      lib.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened);
          SCHED_STACK_END_CHECK = yes;
 
          # tell EFI to wipe memory during reset
          # https://lwn.net/Articles/730006/
          RESET_ATTACK_MITIGATION = yes;
 
          # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
          CONFIG_LDISC_AUTOLOAD = option no;
 
          # Enable init_on_free by default
          INIT_ON_FREE_DEFAULT_ON = yes;
 
          # Initialize all stack variables on function entry
          INIT_STACK_ALL_ZERO = yes;
 
          # Wipe all caller-used registers on exit from a function
          ZERO_CALL_USED_REGS = yes;
 
          # Enable the SafeSetId LSM
          SECURITY_SAFESETID = yes;
 
          # Reboot devices immediately if kernel experiences an Oops.
          PANIC_TIMEOUT = freeform "-1";
 
          # Enable gcc plugin options
          GCC_PLUGINS = yes;
 
          # Runtime undefined behaviour checks
          # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html
          # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan
          UBSAN = yes;
          UBSAN_TRAP = yes;
          UBSAN_BOUNDS = yes;
          UBSAN_LOCAL_BOUNDS = option yes; # clang only
          CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1
 
          # Disable various dangerous settings
           PROC_KCORE = no; # Exposes kernel text image layout
          INET_DIAG = no; # Has been used for heap based attacks in the past
 
          # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
          # make them optional
          INET_DIAG_DESTROY = option no;
          INET_RAW_DIAG = option no;
          INET_TCP_DIAG = option no;
          INET_UDP_DIAG = option no;
          INET_MPTCP_DIAG = option no;
 
          # CONFIG_DEVMEM=n causes these to not exist anymore.
           STRICT_DEVMEM = option no;
          IO_STRICT_DEVMEM = option no;
 
          # stricter IOMMU TLB invalidation
          IOMMU_DEFAULT_DMA_STRICT = option yes;
          IOMMU_DEFAULT_DMA_LAZY = option no;
 
          # not needed for less than a decade old glibc versions
          LEGACY_VSYSCALL_NONE = yes;
         };
      } // (args.argsOverride or {}));
    linux_hardened = pkgs.callPackage linux_hardened_pkg{};
  in
    lib.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened);
</syntaxhighlight>
</syntaxhighlight>


=== Lock kernel modules ===
=== Lock kernel modules ===
This option locks kernel modules after the system is initialized. For example it prevents malicious USB devices from exploiting vulnerable kernel modules.<syntaxhighlight lang="nix">
This option locks kernel modules after the system is initialized. For example it prevents malicious USB devices from exploiting vulnerable kernel modules.
 
<syntaxhighlight lang="nix">
security.lockKernelModules = true;
security.lockKernelModules = true;
</syntaxhighlight>All needed modules must be loaded at boot by adding them to <code>boot.kernelModules</code>. One way of knowing what modules must be enabled is to disable this option and then list all enabled modules with <code>lsmod</code>.<syntaxhighlight lang="nix">
</syntaxhighlight>
 
All needed modules must be loaded at boot by adding them to <code>boot.kernelModules</code>. One way of knowing what modules must be enabled is to disable this option and then list all enabled modules with <code>lsmod</code>.
 
<syntaxhighlight lang="nix">
boot.kernelModules = [
boot.kernelModules = [
   # USB
   # USB
Line 44: Line 113:
];
];
</syntaxhighlight>
</syntaxhighlight>
=== Module blacklist ===
=== Module blacklist ===
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
boot.blacklistedKernelModules = [
boot.blacklistedKernelModules = [
Line 68: Line 139:


=== Kernel image protection ===
=== Kernel image protection ===
Prevents replacing the running kernel image.<syntaxhighlight lang="nix">
Prevents replacing the running kernel image.
 
<syntaxhighlight lang="nix">
security.protectKernelImage = true;
security.protectKernelImage = true;
</syntaxhighlight>
</syntaxhighlight>


=== Kernel parameters ===
=== Kernel parameters ===
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
boot.kernelParams = [
boot.kernelParams = [
Line 90: Line 164:


=== Sysctl parameters ===
=== Sysctl parameters ===
<syntaxhighlight lang="nix"># Hide kptrs even for processes with CAP_SYSLOG
 
<syntaxhighlight lang="nix">
# Hide kptrs even for processes with CAP_SYSLOG
boot.kernel.sysctl."kernel.kptr_restrict" = "2";
boot.kernel.sysctl."kernel.kptr_restrict" = "2";


Line 98: Line 174:
# Disable ftrace debugging
# Disable ftrace debugging
boot.kernel.sysctl."kernel.ftrace_enabled" = false;
boot.kernel.sysctl."kernel.ftrace_enabled" = false;
# Disable io_uring, a large source of security vulnerabilities
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
boot.kernel.sysctl."kernel.io_uring_disabled" = 2;


# Enable strict reverse path filtering (that is, do not attempt to route
# Enable strict reverse path filtering (that is, do not attempt to route
Line 121: Line 201:
# Ignore outgoing ICMP redirects (this is ipv4 only)
# Ignore outgoing ICMP redirects (this is ipv4 only)
boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;</syntaxhighlight>
boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
</syntaxhighlight>


=== Disable Simultaneous Multithreading (SMT) ===
=== Disable Simultaneous Multithreading (SMT) ===
Might cause significant performance cost.<syntaxhighlight lang="nix">
 
Might cause significant performance cost.
 
<syntaxhighlight lang="nix">
security.allowSimultaneousMultithreading = false;
security.allowSimultaneousMultithreading = false;
</syntaxhighlight>
</syntaxhighlight>


=== Force Page Table Isolation ===
=== Force Page Table Isolation ===
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
security.forcePageTableIsolation = true;
security.forcePageTableIsolation = true;
</syntaxhighlight>
</syntaxhighlight>
== Nix settings ==
=== Nix allowed users ===
This option allows only <code>users</code> group to connect to the Nix daemon.
<syntaxhighlight lang="nix">
nix.settings.allowed-users = [ "@users" ];
</syntaxhighlight>
== Other settings ==


=== Memory allocator ===
=== Memory allocator ===
You can use security-focused memory allocator like [https://llvm.org/docs/ScudoHardenedAllocator.html scudo] or [https://github.com/GrapheneOS/hardened_malloc GrapheneOS hardened_malloc].<syntaxhighlight lang="nix">
 
You can use security-focused memory allocator like [https://llvm.org/docs/ScudoHardenedAllocator.html scudo] or [https://github.com/GrapheneOS/hardened_malloc GrapheneOS hardened_malloc].
 
<syntaxhighlight lang="nix">
# scudo
# scudo
environment.memoryAllocator.provider = "scudo";
environment.memoryAllocator.provider = "scudo";
environment.variables.SCUDO_OPTIONS = "zero_contents=true";
environment.variables.SCUDO_OPTIONS = "zero_contents=true";
# hardened_malloc
# hardened_malloc
environment.memoryAllocator.provider = "graphene-hardened";
environment.memoryAllocator.provider = "graphene-hardened";
</syntaxhighlight>Some programs may not work with these memory allocators. You can force them to use the default libc allocator by blacklisting <code>/etc/ld-nix.so.preload</code> with a firejail wrap.<syntaxhighlight lang="nix">programs.firejail = {
</syntaxhighlight>
 
Some programs may not work with these memory allocators. You can force them to use the default libc allocator by blacklisting <code>/etc/ld-nix.so.preload</code> with a firejail wrap.
 
<syntaxhighlight lang="nix">
programs.firejail = {
   enable = true;
   enable = true;
   wrappedBinaries = {
   wrappedBinaries = {
Line 151: Line 258:
     };
     };
   };
   };
};</syntaxhighlight>
};
 
=== Nix allowed users ===
This option allows only <code>users</code> group to connect to the Nix daemon.<syntaxhighlight lang="nix">
nix.settings.allowed-users = [ "@users" ];
</syntaxhighlight>
</syntaxhighlight>


=== Flush L1 data cache ===
=== Flush L1 data cache ===
Might cause significant performance cost.<syntaxhighlight lang="nix">
 
Might cause significant performance cost.
 
<syntaxhighlight lang="nix">
security.virtualisation.flushL1DataCache = "always";
security.virtualisation.flushL1DataCache = "always";
</syntaxhighlight>
</syntaxhighlight>


=== AppArmor ===
=== AppArmor ===
See [[Security#AppArmor]] for more details.
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
security.apparmor.enable = true;
security.apparmor.enable = true;
security.apparmor.killUnconfinedConfinables = true;
security.apparmor.killUnconfinedConfinables = true;
</syntaxhighlight>
</syntaxhighlight>
== Lower-level ==


=== Secure Boot ===
=== Secure Boot ===
See [[Secure Boot]]. [[Limine]] bootloader supports coreboot's Secure Boot.
See [[Secure Boot]]. [[Limine]] bootloader supports coreboot's Secure Boot.
== See Also ==
* [https://wiki.archlinux.org/title/Security Arch Wiki Security Page]
[[Category:Guide]]
[[Category:NixOS]]
[[Category:Security]]
Retrieved from "https://wiki.nixos.org/wiki/NixOS_Hardening"