compile time flags hardening

lkrg-org / lkrg

Linux Kernel Runtime Guard

https://lkrg.org

Other

403 stars 72 forks source link

compile time flags hardening #298

Closed adrelanos closed 7 months ago

adrelanos commented 7 months ago

hardening-check lkrg.ko

 Position Independent Executable: not a known ELF type!? ()
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: no, non-ELF (ignored)
 Immediate binding: no, non-ELF (ignored)
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found!

Would it make sense to add some compile time hardening flags to the Makefile?

solardiz commented 7 months ago

hardening-check lkrg.ko

You've checked a kernel module mostly for properties expected from a userspace program.

Would it make sense to add some compile time hardening flags to the Makefile?

Maybe, but like what? We generally need to build with the same flags that the kernel builds with, but maybe some compilers have specific desirable flags that we could reasonably detect and override in just one module. Do you have specific well-reasoned suggestions?

As things currently are, we actually have the opposite kind of problem - LKRG fails to work on kernels built with CFI enforcement (ARM BTI #183, Intel CET #272).

solardiz commented 7 months ago

As far as I'm aware, there's currently nothing for us to do on this issue, so I'll close it. If it ever becomes actionable, we can reopen.