Feature request: Check CONFIG_RESET_ATTACK_MITIGATION

a13xp0p0v / kernel-hardening-checker

A tool for checking the security hardening options of the Linux kernel

GNU General Public License v3.0

1.7k stars 155 forks source link

Feature request: Check CONFIG_RESET_ATTACK_MITIGATION #11

Closed hannob closed 5 years ago

hannob commented 5 years ago

Thanks for this tool.

I'd propose to add a check for CONFIG_RESET_ATTACK_MITIGATION. This is a feature that on modern systems will set a flag on boot that signals the BIOS to wipe the memory if an unclean shutdown happened. This can protect against some forms of cold boot attacks where you reboot into another system and try to read out the memory from the previous run.

Here's the Kernel submission with some explanation: https://lwn.net/Articles/730006/

It's also explained in this talk: https://www.youtube.com/watch?v=RqvPZnLkP70 (around minute 35)

Bernhard40 commented 5 years ago

This option needs userspace support, otherwise it's not recommended for use: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a5c03c31af2291f13689d11760c0b59fb70c9a5a

https://bugzilla.redhat.com/show_bug.cgi?id=1532058

hannob commented 5 years ago

Interesting, is there any userspace tool to do this? Or is this basically unsupported in current systems?

anthraxx commented 5 years ago

@hannob I wanted to look into this for systemd, but forgot for quite a while. thanks for reminding me, back then there was no userspace support, theoretically you could add a systemd service but doing it properly is bit more tricky. I'm putting this back onto my todo list and take a dive into how to properly implement this into systemd itself at a place that could guarantee that all other services etc. are already properly shut down.

a13xp0p0v commented 5 years ago

Hello @hannob @Bernhard40 @anthraxx,

RESET_ATTACK_MITIGATION is a nice option, I will add this check to the script with a comment about userspace support.

That case will be similar to the STATIC_USERMODEHELPER option, which needs the userspace support as well (but, as I know, enabling it currently breaks systemd workflow on Ubuntu).

a13xp0p0v commented 5 years ago

Hm... By the way Ubuntu 18 has RESET_ATTACK_MITIGATION enabled.

anthonyryan1 commented 3 months ago

5 years later...

Has anyone got the userland support for this feature up and running yet?

I'm interested in solutions for either OpenRC or systemd. There's plenty of mentions of the kconfig option, but I can't find any mention of the userland half of this feature.