Feature #15000
Ensure we benefit from new security features in Linux 4.14
100%
Description
https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/
As usual, some of it might need to be enabled on our side, and some of it might require changes in Debian’s src:linux. So as usual I’ll go through this and will file bug reports in Debian and here as needed.
Subtasks
Related issues
Related to Tails - |
Resolved | 2017-11-17 | |
Blocked by Tails - |
Resolved | 2018-02-13 |
History
#1 Updated by intrigeri 2017-11-25 10:53:22
Meta: this does not seem to qualify as Foundations Team work, but I’ll do it anyway.
#2 Updated by intrigeri 2017-11-25 10:53:30
- related to
Feature #14999: Upgrade to Stretch 9.3 added
#3 Updated by intrigeri 2017-11-25 20:26:14
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
Besides new GCC plugins (CONFIG_GCC_PLUGINS
is disabled in Debian “Until we work out how to package them”), the only candidate that requires opt-in seems to be CONFIG_SLAB_FREELIST_HARDENED
, which “should render blind heap overflow bugs much more difficult to exploit” + adds a naive detection of double free or corruption.
#4 Updated by intrigeri 2017-11-29 09:30:30
intrigeri wrote:
> CONFIG_SLAB_FREELIST_HARDENED
, which “should render blind heap overflow bugs much more difficult to exploit” + adds a naive detection of double free or corruption.
FWIW, the commit message for the latter improvement suggests it’s only useful “without slub_debug and KASAN”. We have slub_debug=FZP
(is it enough?) but CONFIG_KASAN
is disabled in the Debian kernel. It’s not clear to me whether only one of slub_debug
and KASAN is enough to not benefit from this improvement. Whatever, there’s another benefit that comes with CONFIG_SLAB_FREELIST_HARDENED
so I’ll ask src:linux maintainers to consider enabling it anyway.
#5 Updated by intrigeri 2017-11-29 09:46:30
Reported https://bugs.debian.org/883069, let’s see how it goes.
#6 Updated by intrigeri 2017-11-29 09:47:08
- % Done changed from 10 to 50
#7 Updated by cypherpunks 2017-12-05 04:45:12
intrigeri wrote:
> FWIW, the commit message for the latter improvement suggests it’s only useful “without slub_debug and KASAN”. We have slub_debug=FZP
(is it enough?) but CONFIG_KASAN
is disabled in the Debian kernel. It’s not clear to me whether only one of slub_debug
and KASAN is enough to not benefit from this improvement.
KASAN is not designed for improving security anymore than ASAN is. If it behaves like userspace ASAN, it can only deterministically catch trivial linear buffer overflows. SLUB debugging on the other hand is likely what provides the fasttop
-like behavior, and that would be enough. I would be extremely surprised if it also required KASAN.
#8 Updated by intrigeri 2017-12-10 15:06:07
- related to deleted (
)Feature #14999: Upgrade to Stretch 9.3
#9 Updated by intrigeri 2017-12-10 15:06:22
- related to
Feature #14976: Upgrade the Linux kernel to get KPTI added
#10 Updated by intrigeri 2017-12-24 11:01:55
- Type of work changed from Research to Wait
#11 Updated by intrigeri 2018-01-16 12:59:19
- Target version changed from Tails_3.5 to Tails_3.6
I want to let the src:linux maintainers focus on currently more pressing matters (Meltdown/Spectre and their fallout) so I won’t ping them yet.
#12 Updated by intrigeri 2018-02-13 12:05:28
CONFIG_SLAB_FREELIST_HARDENED
was enabled in commit 3fa67126b5924 (src:linux’ Vcs-Git) and is documented as pending in the changelog for 4.15.2-1~exp1. Let’s see if Linux 4.15 lands in sid in time for Tails 3.6.
#13 Updated by intrigeri 2018-02-13 12:06:18
- blocked by
Feature #15309: Upgrade to Linux 4.15 added
#14 Updated by intrigeri 2018-02-19 12:26:26
- Assignee changed from intrigeri to bertagaz
- QA Check set to Ready for QA
- Feature Branch set to feature/15309-linux-4.15
- Type of work changed from Wait to Code
In a Tails built from this branch:
$ grep '^CONFIG_SLAB_FREELIST_HARDENED=' /boot/config-4.15.0-1-amd64
CONFIG_SLAB_FREELIST_HARDENED=y
#15 Updated by bertagaz 2018-02-21 14:04:21
- Status changed from In Progress to Fix committed
- Assignee deleted (
bertagaz) - % Done changed from 50 to 100
- QA Check changed from Ready for QA to Pass
Everything’s fine here then, and Feature #15309 has been merged, so closing.
#16 Updated by bertagaz 2018-03-14 11:09:44
- Status changed from Fix committed to Resolved