Feature #15000

Ensure we benefit from new security features in Linux 4.14

Added by intrigeri 2017-11-25 10:51:27 . Updated 2018-03-14 11:09:44 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2017-11-25
Due date:
% Done:

100%

Feature Branch:
feature/15309-linux-4.15
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/

As usual, some of it might need to be enabled on our side, and some of it might require changes in Debian’s src:linux. So as usual I’ll go through this and will file bug reports in Debian and here as needed.


Subtasks


Related issues

Related to Tails - Feature #14976: Upgrade the Linux kernel to get KPTI Resolved 2017-11-17
Blocked by Tails - Feature #15309: Upgrade to Linux 4.15 Resolved 2018-02-13

History

#1 Updated by intrigeri 2017-11-25 10:53:22

Meta: this does not seem to qualify as Foundations Team work, but I’ll do it anyway.

#2 Updated by intrigeri 2017-11-25 10:53:30

#3 Updated by intrigeri 2017-11-25 20:26:14

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

Besides new GCC plugins (CONFIG_GCC_PLUGINS is disabled in Debian “Until we work out how to package them”), the only candidate that requires opt-in seems to be CONFIG_SLAB_FREELIST_HARDENED, which “should render blind heap overflow bugs much more difficult to exploit” + adds a naive detection of double free or corruption.

#4 Updated by intrigeri 2017-11-29 09:30:30

intrigeri wrote:
> CONFIG_SLAB_FREELIST_HARDENED, which “should render blind heap overflow bugs much more difficult to exploit” + adds a naive detection of double free or corruption.

FWIW, the commit message for the latter improvement suggests it’s only useful “without slub_debug and KASAN”. We have slub_debug=FZP (is it enough?) but CONFIG_KASAN is disabled in the Debian kernel. It’s not clear to me whether only one of slub_debug and KASAN is enough to not benefit from this improvement. Whatever, there’s another benefit that comes with CONFIG_SLAB_FREELIST_HARDENED so I’ll ask src:linux maintainers to consider enabling it anyway.

#5 Updated by intrigeri 2017-11-29 09:46:30

Reported https://bugs.debian.org/883069, let’s see how it goes.

#6 Updated by intrigeri 2017-11-29 09:47:08

  • % Done changed from 10 to 50

#7 Updated by cypherpunks 2017-12-05 04:45:12

intrigeri wrote:
> FWIW, the commit message for the latter improvement suggests it’s only useful “without slub_debug and KASAN”. We have slub_debug=FZP (is it enough?) but CONFIG_KASAN is disabled in the Debian kernel. It’s not clear to me whether only one of slub_debug and KASAN is enough to not benefit from this improvement.

KASAN is not designed for improving security anymore than ASAN is. If it behaves like userspace ASAN, it can only deterministically catch trivial linear buffer overflows. SLUB debugging on the other hand is likely what provides the fasttop-like behavior, and that would be enough. I would be extremely surprised if it also required KASAN.

#8 Updated by intrigeri 2017-12-10 15:06:07

#9 Updated by intrigeri 2017-12-10 15:06:22

  • related to Feature #14976: Upgrade the Linux kernel to get KPTI added

#10 Updated by intrigeri 2017-12-24 11:01:55

  • Type of work changed from Research to Wait

#11 Updated by intrigeri 2018-01-16 12:59:19

  • Target version changed from Tails_3.5 to Tails_3.6

I want to let the src:linux maintainers focus on currently more pressing matters (Meltdown/Spectre and their fallout) so I won’t ping them yet.

#12 Updated by intrigeri 2018-02-13 12:05:28

CONFIG_SLAB_FREELIST_HARDENED was enabled in commit 3fa67126b5924 (src:linux’ Vcs-Git) and is documented as pending in the changelog for 4.15.2-1~exp1. Let’s see if Linux 4.15 lands in sid in time for Tails 3.6.

#13 Updated by intrigeri 2018-02-13 12:06:18

#14 Updated by intrigeri 2018-02-19 12:26:26

  • Assignee changed from intrigeri to bertagaz
  • QA Check set to Ready for QA
  • Feature Branch set to feature/15309-linux-4.15
  • Type of work changed from Wait to Code

In a Tails built from this branch:

$ grep '^CONFIG_SLAB_FREELIST_HARDENED=' /boot/config-4.15.0-1-amd64 
CONFIG_SLAB_FREELIST_HARDENED=y

#15 Updated by bertagaz 2018-02-21 14:04:21

  • Status changed from In Progress to Fix committed
  • Assignee deleted (bertagaz)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Everything’s fine here then, and Feature #15309 has been merged, so closing.

#16 Updated by bertagaz 2018-03-14 11:09:44

  • Status changed from Fix committed to Resolved