Skip to content

linuxPackages{,_latest,_next}_hardened_ia32Emulation: init #81943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

linuxPackages{,_latest,_next}_hardened_ia32Emulation: init #81943

wants to merge 1 commit into from
+19 −10

Conversation

emilazy
Copy link
Member

@emilazy emilazy commented Mar 7, 2020

Motivation for this change

These are variants of the hardened kernels that leave 32-bit x86
emulation enabled. Though it increases the attack surface, they're
relatively well-trodden code paths, and since I know people currently
sometimes opt for the vanilla kernel in lieu of a hardened one that lets
them continue using Wine, Steam, etc., in practice it'll offer people a
net benefit to security.

Resolves #79798.

@GrahamcOfBorg build linuxPackages_latest_hardened_ia32Emulation

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@emilazy
linuxPackages{,_latest,_next}_hardened_ia32Emulation: init
42c3290 
These are variants of the hardened kernels that leave 32-bit x86
emulation enabled. Though it increases the attack surface, they're
relatively well-trodden code paths, and since I know people currently
sometimes opt for the vanilla kernel in lieu of a hardened one that lets
them continue using Wine, Steam, etc., in practice it'll offer people a
net benefit to security.

Resolves NixOS#79798.
@emilazy emilazy requested a review from joachifm as a code owner March 7, 2020 00:55
@emilazy
Copy link
Member Author

emilazy commented Mar 7, 2020

cc @luis-hebendanz @yegortimoshenko who ❤'d the issue :)

lukateras
lukateras approved these changes Mar 7, 2020
View reviewed changes
Copy link
Member

@lukateras lukateras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Binary emulation does increase attack surface, so another kernel build seems to make sense. Note the new hadenedLinuxPackagesFor function signature.

@ofborg ofborg bot added 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 101-500 labels Mar 7, 2020
@emilazy
Copy link
Member Author

emilazy commented Mar 7, 2020
edited
Loading

@GrahamcOfBorg build linux_latest_hardened_ia32Emulation

@emilazy
Copy link
Member Author

emilazy commented Mar 7, 2020

Should these packages be blacklisted on aarch64? It looks like it might be cross-compiling or something?

@Mic92
Copy link
Member

Mic92 commented Mar 7, 2020
edited
Loading

I am against adding even more kernel package variants since it increases the amount of kernels I need to test when changing kernel options or adding new kernel modules. cc @NeQuissimus @joachifm I would very much prefer if you can decide what options to enable in the hardened profile or hide this option from being build on nixpkgs-review/hydra.

@joachifm
Copy link
Contributor

joachifm commented Mar 7, 2020

When the hardened kernel and profile were first added, the idea was to enable as many mitigations as possible, even to the detriment of features and performance. Now, I'll grant that there's plenty of room for reasonable disagreement about what an acceptable loss of performance/features is versus hardening, but I for one consider breaking proprietary applications and drivers acceptable.

If we could control this feature at boot or runtime, it'd be a no-brainer to make it available and leave it for the admin to decide. Deferring to the admin is my preferred approach for a distro kernel, but in cases where you have to make a yes/no decision at compile time, I think the hardened config must err on the side of hardening.

In any case, I agree with @Mic92 that adding 3 additional package sets to accommodate a single option is probably too much. I think the community has to decide what hardened is supposed to mean and instead adjust the main hardened config accordingly.

@lukateras
Copy link
Member

lukateras commented Mar 7, 2020
edited
Loading

If we could control this feature at boot or runtime, it'd be a no-brainer to make it available and leave it for the admin to decide.

Unfortunately, it seems to be compile time only :(

Now, I'll grant that there's plenty of room for reasonable disagreement about what an acceptable loss of performance/features is versus hardening, but I for one consider breaking proprietary applications and drivers acceptable.

Counterargument: not having it enabled was also a source of a few issue reports before #79798, namely #30702, #51097 (comment), #58240, #67577.

A few other distributions that do ship an optional hardened kernel package also have IA32 emulation enabled:

@joachifm
Copy link
Contributor

joachifm commented Mar 7, 2020

I propose opening a new PR that updates the hardened-config and leave it open for a bit to let interested parties vote on it. I still think its inappropriate despite what arch and alpine do but if users want it then that's fine I guess.

emilazy added a commit to emilazy/nixpkgs that referenced this pull request Mar 7, 2020
@emilazy
linuxPackages_{,_latest,_testing}_hardened: enable 32-bit emulation
b628400 
Per discussion in NixOS#81943.

Resolves NixOS#79798.
@emilazy emilazy mentioned this pull request Mar 7, 2020
Merged
10 tasks
@emilazy
Copy link
Member Author

emilazy commented Mar 7, 2020

Closing in favour of #82006.

@emilazy emilazy closed this Mar 7, 2020
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Mar 15, 2020
@emilazy @dtzWill
linuxPackages_{,_latest,_testing}_hardened: enable 32-bit emulation
6f9a4e9 
Per discussion in NixOS#81943.

Resolves NixOS#79798.

(cherry picked from commit b628400)
@emilazy emilazy deleted the add-linux-hardened-ia32-emulation branch May 8, 2020 20:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukateras lukateras

@joachifm joachifm

Assignees
No one assigned
Labels
8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 101-500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

linuxPackages_hardened: add variant with 32-bit emulation?
4 participants
@emilazy @Mic92 @joachifm @lukateras