Extended Brain Storage

Artix Linux: Hardened Kernel and Hibernation

Posted on April 22, 2019

Using a hardened kernel in either Artix Linux or Arch Linux, may seem to be a smart decision to prevent various vulnerabilities from being exploited. However, everything comes with a price...

In a Nutshell

The linux-hardened package uses a basic kernel hardening patch set and more security-focused compile-time configuration options than the linux package, which comes precompiled with the Linux distribution. For example:

An evaluation of current settings can be performed as follows:

$ paxtest blackhat
$ sysctl kernel.dmesg_restrict
kernel.dmesg_restrict = 1
$ sysctl kernel.kptr_restrict
kernel.kptr_restrict = 2
$ sysctl net.core.bpf_jit_enable
net.core.bpf_jit_enable = 1
$ sysctl kernel.yama.ptrace_scope
kernel.yama.ptrace_scope = 1
$ mount | grep proc
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)

Hibernation Support

Kernel needs to be set accordingly in order to provide support for hibernation. This can be verified by running:

$ zcat /proc/config.gz | grep CONFIG_HIBERNATION

The problem is obvious. The support is not set up in the linux-hardened kernel. The reason is that kASLR is preferred over hibernation.

When building with both CONFIG_HIBERNATION and CONFIG_RANDOMIZE_BASE, one or the other must be chosen at boot-time. Until now, hibernation was selected when no choice was made on the command line.

To make the security benefits of kASLR more widely available to end users (since the use of hibernation is becoming more rare and kASLR, already available on x86, will be available on arm64 and MIPS soon), this changes the default to preferring kASLR over hibernation. Users wanting hibernation can turn off kASLR by adding nokaslr to the kernel command line.

More info can be found here.

Tags: #Artix Linux #hardened #kernel #hibernation #Arch Linux #hardening

⏴ Previous Post Next Post ⏵