Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos: allow customizing the kernel RANDSTRUCT seed #53826

Merged
merged 2 commits into from Apr 16, 2019
Merged

nixos: allow customizing the kernel RANDSTRUCT seed #53826

merged 2 commits into from Apr 16, 2019

Conversation

delroth
Copy link
Contributor

@delroth delroth commented Jan 12, 2019

Motivation for this change

See #53592. RANDSTRUCT is designed to make kernel exploitation harder through diversification of the builds. Allowing users to set their own RANDSTRUCT seed differentiates their kernel build from the rest of the NixOS hardened users. In a multi-host deployment this can also be used to deploy differently seeded builds on each machine.

I was torn on whether to put this in boot/kernel.nix or create a new module in security/ for the option -- in the end I decided on boot/kernel.nix because it makes the implementation much simpler, but I'm definitely open to the "new module" option too if someone has a strong opinion about this.

Still a NixOS noob, not sure if this is the right way to do things. Let me know!

@joachifm @NeQuissimus fyi

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@joachifm
Copy link
Contributor

Nit: Exposing such a specialized feature in the general interface may seem a little ad-hoc.
Are we certain that the seed is only ever used for randstruct? If not, I could see adding it to the general interface, otherwise I'd prefer having this under the hardened module namespace.

joachifm
joachifm reviewed Jan 12, 2019
View reviewed changes
nixos/modules/system/boot/kernel.nix
@@ -67,6 +68,19 @@ in
description = "A list of additional patches to apply to the kernel.";
};

boot.kernel.randstructSeed = mkOption {
type = types.str;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'd be neat to be able to read the seed from a file instead (e.g., if I want to share my config but not the seed)

@joachifm
Copy link
Contributor

If you don't want to create a new module, there's security/misc

@joachifm
Copy link
Contributor

@GrahamcOfBorg build linux_latest_hardened linux linux_latest

@joachifm
Copy link
Contributor

@GrahamcOfBorg test hardened

@joachifm joachifm merged commit d7da5e2 into NixOS:master Apr 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joachifm joachifm joachifm left review comments

@danbst danbst danbst left review comments

@infinisil infinisil Awaiting requested review from infinisil

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@delroth @joachifm @danbst @GrahamcOfBorg