"Hardened" tree on kernel.org?

"Hardened" tree on kernel.org?

[Konstantin Ryabitsev]

[-- Attachment #1: Type: text/plain, Size: 1376 bytes --]

Hi, all:

There's a lot of excellent work being done on this list and as part of 
KSPP that enjoys limited exposure due to long and arduous upstreaming 
process. I am wondering if some of the proposed changes would see wider 
testing if there was a curated semi-official "hardened" tree hosted on 
kernel.org that would carry kernel hardening patches proposed for 
inclusion into mainline. There is at least one project that does 
something like this:

https://git.kernel.org/pub/scm/linux/kernel/git/rt/linux-stable-rt.git

though there's the distinction that, to my knowledge, RT is not intended 
to be upstreamed.

I think wider testing and adoption would be easier if there was a place 
for folks to download a "hardened Linux tarball" -- with the 
understanding that it would include features that may or may not 
eventually make it into mainline. I know it's a lot of work, and I'm 
certainly not volunteering for it (I don't have the right set of skills 
for this), but I believe there is a demand for such resource among 
security enthusiasts and security-minded distros.

In a sense, this would shadow Greg's work -- taking the latest stable 
tree and porting a hardening patchset on top of it. Maybe one of the LTS 
trees, too?

Do you think this would be a worthwhile thing, or would that distract 
from overall mainlining goals?

-K

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: "Hardened" tree on kernel.org?

[Yves-Alexis Perez]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 2018-08-31 at 13:44 -0400, Konstantin Ryabitsev wrote:
> Do you think this would be a worthwhile thing, or would that distract 
> from overall mainlining goals?

Hi Konstantin,

I think it would be a nice addition. There are already bits here and there,
the most prominent one beeing https://github.com/thestinger/linux-hardened / 
https://github.com/AndroidHardeningArchive/linux-hardened from Daniel Micay
(added to CC although I guess he's subscribed)

Maybe Kees maintains KSSP-related stuff somewhere.

I think having a central repository of “vouched” stuff would be nice, even it
includes things not ready for mainline.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAluWYn8ACgkQ3rYcyPpX
RFvCFgf9FJwqV8K9gbSA8Dfhe20DWxB9ywljUdZnnQWHNxrSdwTlPXhVVozM4I18
lzPQnMgym6xoYmXTuPUuw9/KX8+B7Qp3F4RrfR2Lx4yJpav6KYpBmK6LTf8ml5RD
MnY8xRocG03/rt+Bewg6bfnDeB5Ls1LAe55NOE9pevVnICg2TQ2HraMIkmTI27bI
V2wpuaaINKAOkFGK1AZLdRZknU0LbVUJOk/HD4RiRYRrbND2HIz14zXJM8W4dF4j
mta+GCN81czkQp90nPGpRu2jGAz1brScPPKVQH1Qi+7T/zqS5Ayb7vzQqmxQIr32
bVJOly9vUpB4jq/OWhNSGyClbv/CeQ==
=jkO9
-----END PGP SIGNATURE-----

Re: "Hardened" tree on kernel.org?

[Kees Cook]

On Mon, Sep 10, 2018 at 5:24 AM, Yves-Alexis Perez <corsac@debian.org> wrote:
> On Fri, 2018-08-31 at 13:44 -0400, Konstantin Ryabitsev wrote:
>> Do you think this would be a worthwhile thing, or would that distract
>> from overall mainlining goals?
>
> I think it would be a nice addition. There are already bits here and there,
> the most prominent one being https://github.com/thestinger/linux-hardened /
> https://github.com/AndroidHardeningArchive/linux-hardened from Daniel Micay
> (added to CC although I guess he's subscribed)
>
> Maybe Kees maintains KSSP-related stuff somewhere.
>
> I think having a central repository of “vouched” stuff would be nice, even it
> includes things not ready for mainline.

KSPP is just a "focus group" of the upstream kernel, not a separate
project, so we're part of the regular development cycle and practices.
Therefore linux-next is where things live before getting merged. For
work that has an obvious upstream maintainer (e.g. arch-specific
hardening) live in their respective trees (e.g. refcount_t went in via
tip/atomic). For less-obvious stuff, or for when I'm the maintainer it
goes via my for-next/kspp tree. An example would be that the stackleak
gcc plugin has been kept up to date there (by Alexander) for several
upstream releases while it continues to get buffeted by review.

Some things aren't ready for merging (e.g. XPFO, SARA, Landlock) due
to needed dependencies or improvements. While each of these have
versions of their patches that work against specific kernel versions,
keeping them forward-ported is a non-trivial bit of work. The
individual authors have been doing that work when they have time and
are doing their next revision, for example. But as such, there isn't
really a "single repository" of hardening work. The effort to
stabilize patches has been focused on getting them into upstream.

So, yes, tl;dr would be: there isn't a separate collection because
I've been trying to get people to focus on upstreaming. Having another
fork doesn't really help the general public. (That said, there _are_
people with distro-like forks of the kernel that HAVE been collecting
things, but I haven't been tracking them: please speak up if you want
to let people know about the work!)

-Kees

-- 
Kees Cook
Pixel Security