NixOS Hardening: Difference between revisions

Line 1:

=== linux-hardened ===

[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied.~~<syntaxhighlight lang="nix">~~

[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied. You can check for latest releases [https://github.com/anthraxx/linux-hardened/releases here].<syntaxhighlight lang="nix">

~~boot.kernelPackages = pkgs.linuxKernel.packages.linux_hardened;~~

~~</syntaxhighlight>To get the~~ latest ~~updates and security patches as soon as possible, you might want to build the kernel right after new~~ [https://github.com/anthraxx/linux-hardened/releases ~~release~~].<syntaxhighlight lang="nix">

boot.kernelPackages = let

linux_hardened_pkg = { fetchFromGitHub, buildLinux, ~~linux_6_12_hardened~~, ... } @ args:

linux_hardened_pkg = { fetchFromGitHub, buildLinux, lib, ... } @ args:

buildLinux (args // rec {

version = "6.12.77-hardened1";

version = "6.12.79-hardened1";

~~modDirVersion~~ = ~~version~~;

hash = "sha256-TKrLHk4aB47vqehEdp5ks4WtMCq/XCDr9ro3eQOoPvE=";

extraMeta.branch = "6.12";

src = fetchFromGitHub {

modDirVersion = version;

owner = "anthraxx";

src = fetchFromGitHub {

repo = "linux-hardened";

inherit hash;

tag = "v${version}";

owner = "anthraxx";

~~hash = "sha256-txcatuTkp0gmJ4vHp//Ju4/j9d2RiVU8UuE7zUXnixw=";~~

repo = "linux-hardened";

};

tag = "v${version}";

~~# Patches are already applied in the source tarball~~

};

kernelPatches = [];

structuredExtraConfig = ~~linux_6_12_hardened~~.~~structuredExtraConfig~~;

structuredExtraConfig = with lib.kernel; {

# ~~If using different~~ kernel ~~version than~~ the ~~one~~ used in ~~nixpkgs~~, ~~you might have~~ to ~~remove some unsupported parameters~~.

# Perform additional validation of commonly targeted structures.

~~structuredExtraConfig~~ = ~~lib.removeAttrs linux_6_12_hardened.structuredExtraConfig [ "GCC_PLUGIN_STACKLEAK" ]~~;

DEBUG_NOTIFIERS = yes;

} // (args.argsOverride or {}));

DEBUG_PLIST = yes;

linux_hardened = pkgs.callPackage linux_hardened_pkg{};

DEBUG_SG = yes;

in

DEBUG_VIRTUAL = yes;

lib.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened);

SCHED_STACK_END_CHECK = yes;

# tell EFI to wipe memory during reset

# https://lwn.net/Articles/730006/

RESET_ATTACK_MITIGATION = yes;

# restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE

CONFIG_LDISC_AUTOLOAD = option no;

# Enable init_on_free by default

INIT_ON_FREE_DEFAULT_ON = yes;

# Initialize all stack variables on function entry

INIT_STACK_ALL_ZERO = yes;

# Wipe all caller-used registers on exit from a function

ZERO_CALL_USED_REGS = yes;

# Enable the SafeSetId LSM

SECURITY_SAFESETID = yes;

# Reboot devices immediately if kernel experiences an Oops.

PANIC_TIMEOUT = freeform "-1";

# Enable gcc plugin options

GCC_PLUGINS = yes;

#A port of the PaX stackleak plugin

GCC_PLUGIN_STACKLEAK = yes;

# Runtime undefined behaviour checks

# https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html

# https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan

UBSAN = yes;

UBSAN_TRAP = yes;

UBSAN_BOUNDS = yes;

UBSAN_LOCAL_BOUNDS = option yes; # clang only

CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1

# Disable various dangerous settings

PROC_KCORE = no; # Exposes kernel text image layout

INET_DIAG = no; # Has been used for heap based attacks in the past

# INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,

# make them optional

INET_DIAG_DESTROY = option no;

INET_RAW_DIAG = option no;

INET_TCP_DIAG = option no;

INET_UDP_DIAG = option no;

INET_MPTCP_DIAG = option no;

# CONFIG_DEVMEM=n causes these to not exist anymore.

STRICT_DEVMEM = option no;

IO_STRICT_DEVMEM = option no;

# stricter IOMMU TLB invalidation

IOMMU_DEFAULT_DMA_STRICT = option yes;

IOMMU_DEFAULT_DMA_LAZY = option no;

# not needed for less than a decade old glibc versions

LEGACY_VSYSCALL_NONE = yes;

};

} // (args.argsOverride or {}));

linux_hardened = pkgs.callPackage linux_hardened_pkg{};

in

lib.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened);

</syntaxhighlight>

@@ Line 1: / Line 1: @@
 === linux-hardened ===
-[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied.<syntaxhighlight lang="nix">
+[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied. You can check for latest releases [https://github.com/anthraxx/linux-hardened/releases here].<syntaxhighlight lang="nix">
-boot.kernelPackages = pkgs.linuxKernel.packages.linux_hardened;
-</syntaxhighlight>To get the latest updates and security patches as soon as possible, you might want to build the kernel right after new [https://github.com/anthraxx/linux-hardened/releases release].<syntaxhighlight lang="nix">
 boot.kernelPackages = let
-    linux_hardened_pkg = { fetchFromGitHub, buildLinux, linux_6_12_hardened, ... } @ args:
+  linux_hardened_pkg = { fetchFromGitHub, buildLinux, lib, ... } @ args:
-        buildLinux (args // rec {
+      buildLinux (args // rec {
-          version = "6.12.77-hardened1";
+        version = "6.12.79-hardened1";
-          modDirVersion = version;
+        hash = "sha256-TKrLHk4aB47vqehEdp5ks4WtMCq/XCDr9ro3eQOoPvE=";
-          extraMeta.branch = "6.12";
+        extraMeta.branch = "6.12";
-          src = fetchFromGitHub {
+        modDirVersion = version;
-            owner = "anthraxx";
+        src = fetchFromGitHub {
-            repo = "linux-hardened";
+          inherit hash;
-            tag = "v${version}";
+          owner = "anthraxx";
-            hash = "sha256-txcatuTkp0gmJ4vHp//Ju4/j9d2RiVU8UuE7zUXnixw=";
+          repo = "linux-hardened";
-          };
+          tag = "v${version}";
-          # Patches are already applied in the source tarball
+        };
-          kernelPatches = [];
+        kernelPatches = [];
-          structuredExtraConfig = linux_6_12_hardened.structuredExtraConfig;
+        structuredExtraConfig = with lib.kernel; {
-           # If using different kernel version than the one used in nixpkgs, you might have to remove some unsupported parameters.
+          # Perform additional validation of commonly targeted structures.
-           structuredExtraConfig = lib.removeAttrs linux_6_12_hardened.structuredExtraConfig [ "GCC_PLUGIN_STACKLEAK" ];
+          DEBUG_NOTIFIERS = yes;
-         } // (args.argsOverride or {}));
+          DEBUG_PLIST = yes;
-      linux_hardened = pkgs.callPackage linux_hardened_pkg{};
+          DEBUG_SG = yes;
-    in
+          DEBUG_VIRTUAL = yes;
-      lib.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened);
+          SCHED_STACK_END_CHECK = yes;
+          # tell EFI to wipe memory during reset
+          # https://lwn.net/Articles/730006/
+          RESET_ATTACK_MITIGATION = yes;
+          # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
+          CONFIG_LDISC_AUTOLOAD = option no;
+          # Enable init_on_free by default
+          INIT_ON_FREE_DEFAULT_ON = yes;
+          # Initialize all stack variables on function entry
+          INIT_STACK_ALL_ZERO = yes;
+          # Wipe all caller-used registers on exit from a function
+          ZERO_CALL_USED_REGS = yes;
+          # Enable the SafeSetId LSM
+          SECURITY_SAFESETID = yes;
+           # Reboot devices immediately if kernel experiences an Oops.
+          PANIC_TIMEOUT = freeform "-1";
+          # Enable gcc plugin options
+          GCC_PLUGINS = yes;
+          #A port of the PaX stackleak plugin
+          GCC_PLUGIN_STACKLEAK = yes;
+          # Runtime undefined behaviour checks
+          # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html
+          # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan
+          UBSAN = yes;
+          UBSAN_TRAP = yes;
+          UBSAN_BOUNDS = yes;
+          UBSAN_LOCAL_BOUNDS = option yes; # clang only
+          CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1
+          # Disable various dangerous settings
+          PROC_KCORE = no; # Exposes kernel text image layout
+          INET_DIAG = no; # Has been used for heap based attacks in the past
+          # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
+          # make them optional
+          INET_DIAG_DESTROY = option no;
+          INET_RAW_DIAG = option no;
+          INET_TCP_DIAG = option no;
+          INET_UDP_DIAG = option no;
+          INET_MPTCP_DIAG = option no;
+          # CONFIG_DEVMEM=n causes these to not exist anymore.
+           STRICT_DEVMEM = option no;
+          IO_STRICT_DEVMEM = option no;
+          # stricter IOMMU TLB invalidation
+          IOMMU_DEFAULT_DMA_STRICT = option yes;
+          IOMMU_DEFAULT_DMA_LAZY = option no;
+          # not needed for less than a decade old glibc versions
+          LEGACY_VSYSCALL_NONE = yes;
+         };
+      } // (args.argsOverride or {}));
+    linux_hardened = pkgs.callPackage linux_hardened_pkg{};
+  in
+    lib.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened);
 </syntaxhighlight>