cynicsketch
commented
3 months ago https://github.com/Kicksecure/security-misc/issues/253 Issue opened in Kicksecure/security-misc, awaiting further information to become available.
Open cynicsketch opened 3 months ago
cynicsketch
commented
3 months ago https://github.com/Kicksecure/security-misc/issues/253 Issue opened in Kicksecure/security-misc, awaiting further information to become available.
cynicsketch
commented
3 months ago https://github.com/Kicksecure/security-misc/issues/253#issuecomment-2267656246 Seems like Kicksecure is reenabling it. Should be made default here as well, with an override provided since it seems to worsen performance significantly.
https://tails.net/contribute/design/kernel_hardening/ https://gitlab.tails.boum.org/tails/tails/-/issues/19613 https://kspp.github.io/Recommended_Settings
slub_debug is not apparently used in Kicksecure (and friends Whonix and QubesOS).
Tails and KSPP, however, do recommend using
slub_debug=FZ, still used in Tails to this day.In summary of these sources, the consensus is that slub debugging is not generally harmful because the "information leak" is only to root when kernel lockdown is enabled, and that it therefore doesn't matter that kernel pointer hashing is disabled because root should never be compromised.
Concerns of risk of slub debugging would therefore be overstated.
To irk on the side of caution, I'd rather hold off on setting this by default and ask for the opinions of other sources more acquainted with this topic i.e in Kicksecure, since I am not so much a "security researcher" as "a guy who researches security."