`hide-hardware-info.service`: hide `/sys/kernel/notes` due to accidental pointer leaks on xen systems. Leak defeats KASLR

[wryMitts]

Looks like an upstream bug caused a leak of sensitive data inside this file on Xen systems. A kernel patch is on the way to fix it but it may be a long time before it's in stable Debian. File permissions are 444.

https://lwn.net/Articles/962782/ https://lore.kernel.org/linux-hardening/202402180028.6DB512C50@keescook/

For example, the startup_xen is built at 0xffffffff82465180 and commit_creds is built at 0xffffffff810ad570 which could read from the /boot/System.map. And the loaded address of startup_xen is 0xffffffffbc265180 which read from /sys/kernel/notes. So the loaded address of commit_creds is 0xffffffffbc265180 - (0xffffffff82465180

• 0xffffffff810ad570) = 0xffffffffbaead570.

I've cc: the hardening list on this, I'm sure the developers there have opinions about this.

Oh eww, why is Xen spewing addresses into the notes section? (This must be how it finds its entry point? But that would be before relocations happen...)

But yes, I can confirm that relocations are done against the .notes section at boot, so the addresses exposed in .notes is an immediate KASLR offset exposure.

[wryMitts]

Closing since this service blocks /sys by default. Issue opened in error