Reducing Kernel Symbols on File System by Disabling CONFIG_VMLINUX_MAP and CONFIG_DEBUG_KERNEL

[wryMitts]

CONFIG_VMLINUX_MAP generates a system.map file, which contains debugging symbols, and other information that may leak information about the kernel. It is automatically generated with the kernel, and it is delivered in Debian packages for the kernel when built with the dpkg-deb mode of the kernel build system.

Kicksecure OS has an automatic script to delete this file when a kernel is installed.

https://forums.whonix.org/t/kernel-hardening-security-misc/7296/84 https://gitlab.tails.boum.org/tails/tails/-/issues/10951 https://en.wikipedia.org/wiki/System.map

The CONFIG_DEBUG_KERNEL option generates a similar, large debug file that can be installed along the kernel. It is not installed by default, although it is automatically created on the build system. It will cause similar damage to the a system.map file. Disabling this optional also speeds up kernel build time extensively, and reduces disk usage on the build system. https://wiki.ubuntu.com/Debug%20Symbol%20Packages

[a13xp0p0v]

Hi @wryMitts,

Thanks for the idea.

I think shipping the debug info separately is a good compromise. If system administrators need the kernel debug info, they can install the additional package. Otherwise the system doesn't contain the debug info that might be useful for attackers.

So disabling CONFIG_VMLINUX_MAP and leaving CONFIG_DEBUG_KERNEL enabled provide this compromise. Do you agree?

[wryMitts]

Hi @a13xp0p0v

That is a fair compromise. It may also be a good idea to also mention somewhere that the build files should not be on the same machine where kernel security is required, as build files can reveal sensitive information too. Surely some users might build their kernels on the same machine they run the kernels, which negates security.