Zen Kernel + linux-hardened?
zenbuddhist
Status: Curious
Joined: 12 Dec 2019
Posts: 5
Reply Quote
How difficult would it be to maintain a zen kernel fork with the linux-hardened kernel patches? I'm not exactly sure how simple this question is - but I like the benefits of both the zen kernel and linux-hardened.
Thanks!
Back to top
damentz
Status: Assistant
Joined: 09 Sep 2008
Posts: 1143
Reply Quote
I'm not sure linux hardening patches are a good idea to merge into Zen Kernel, and the answer is a bit complicated.

Without getting into any specifics, most hardening options and patches reduces the performance of the kernel. Just look at what's happening with CPU vulnerability mitigations. Most people that know what's going on add mitigations=off to their default bootloader options to reclaim performance that came stock with their CPU.

There's other options in the kernel that are disabled in Liquorix because for most people, they're never going to be in a scenario where the absence of hardening is going to affect them. Here's an example of one that's disabled in the "General" section of the kernel config:

:: Code ::
CONFIG_SLAB_FREELIST_HARDENED:

Many kernel heap attacks try to target slab cache metadata and
other infrastructure. This options makes minor performance
sacrifices to harden the kernel slab allocator against common
freelist exploit methods.


If you're running untrusted code, and the code is running natively on your server, maybe this is a good idea to turn on. In Liquorix, it's turned off. There's many more options like this that I don't turn on.

So this leads to the hardening patches, they're just going to be like this, and there's always going to be a performance trade off. Or worse, the trade off is you can't properly build third party modules since they might be considered a serious attack surface to your system.

This is why I don't recommend running Liquorix on your servers unless you really know what you're doing. But on a desktop where you choose all the software that's running, Liquorix is fine without all the hardening.
Back to top
zenbuddhist
Status: Curious
Joined: 12 Dec 2019
Posts: 5
Reply Quote
Do you think there is some subset of hardened kernel patches for users who want decreased attack area from interfacing with the internet? For example, if we run our browser in firejail, don't run untrusted code on our system, then we don't need the performance reducing patches from hardened... But perhaps we can still benefit from patches that reduce other attack vectors?
Thanks for brainstorming with me :)
Back to top
Display posts from previous:   

All times are GMT - 8 Hours