The officially official Devuan Forum!

You are not logged in.

#26 2019-05-13 01:48:40

crankypuss
Member
Registered: 2018-09-15
Posts: 58  

Re: The most secure hardened kernel

alupoj wrote:

I just need to protect information from undesirable modifications.

Suggest this:

1. make sure it's owned by root, an additional hurdle
2.  set the file to immutable (chattr), directory recursive etc as appropriate.

"A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute."

hth

Offline

#27 2019-05-13 03:22:22

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Trojans and backdoors including hardware ones can run under root privileges and therefore can change file attributes.

Also they can change contents of file even without help of kernel through drive firmware unless it is a FS like ZFS with checksums, still able to  do changes at vfs level.

Last edited by alupoj (2019-05-13 08:47:13)

Offline

#28 2019-06-14 03:38:58

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

A good example of a hardware backdoor which can lead to a complete data loss unless ZFS is used for storage.

https://github.com/zfsonlinux/zfs/issues/8845

I guess most of modern hardware from China is trojaned, though old hardware from China like:

http://aliexpress.com/item/32446608352.html

PCI 4 Port SATA add on Card with Sil 3114 chip

presumably was not trojaned by modern backdoors at least if purchased a few years ago, but unfortunately it is too slow by modern criteria, it has only about 50-80Mb/s per disk bandwidth multiplied by amount of disks, tested only with a pair of disks.

Last edited by alupoj (2019-06-19 10:40:51)

Offline

#29 2019-06-14 11:31:40

GNUser
Member
Registered: 2017-03-16
Posts: 489  

Re: The most secure hardened kernel

alupoj, if you care this much about your hardware not having backdoors (as I do and as we all should), then you need to use a computer that does not have proprietary BIOS or, even worse, Intel Management Engine or (AMD's) Platform Security Processor. See https://www.fsf.org/blogs/sysadmin/the- … rs-freedom

If you don't already, you should be using a computer with Libreboot (i.e., no proprietary BIOS and Intel Management Engine completely disabled). You can get a laptop with Libreboot on Minifree, Technoethical, or Vikings. They may be more vendors, but these are the ones I know of. I have been happily using a T400 with Libreboot (on which I dual-boot Devuan and OpenBSD) for several years. Everything works perfectly except for virtualization, which I have had to sacrifice. The choice between security and convenience affects everybody.

I second HoaS's plug for OpenBSD. Devuan is one of the the best GNU/Linuxen around, but GNU/Linux in general is not about being "most secure". If most secure is what you're looking for, that's what OpenBSD does by default--no need to swap key software components or tweak configuration settings.

Last edited by GNUser (2019-06-14 14:30:24)

Offline

#30 2019-06-15 04:32:31

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

I am not sure whom to trust, since some OpenBSD people tell GNU things are partially sponsored by NSA people and GNU open sources are full of invisible backdoors (may be just hardly noticeable interfaces to hardware blobed backdoors). They suggest for security reasons to avoid GNU completely including Linux and Libreboot too. On the other hand they instantly ban from their chat if talking there about hardware backdoors. So I conclude though OpenBSD is more secure by its correct config, correct and high quality program sources, its purpose is not to provide true full security for masses, it is rather to test OpenBSD on masses with backdoored hardware and then use tested OpenBSD software on some actually backdoor free hardware for a very specific VIP persons who sponsors OpenBSD. And such actually secure hardware is not available for public purchase.

On the other hand many people proponent GNU Libreboot can help to avoid some BIOS backdoors.

Is OpenBSD any better in terms of security than modern grsecurity+linux libre kernel like v5.x ? if only a few needed services are enabled and each set of services on a different hardware librebooted motherboard to avoid different security problems of a backdoor escaping chroot/vm/docker/container, etc. Unused kernel modules would be disabled. I guess the less services, module and other software is enabled the less backdoors there are on the host.

I have found OpenBSD nice as a concept but not convenient for an earlier Linux user because of less tools, for example because it misses tools like lsblk to list all partitions.

Say someone will have a dedicated librebooted motherboard for mail server, dedicated for web, dedicated for db, etc. These motherboards will not have any devices attached to PCI/USB/SATA bus except an ethernet card preferably open source if such exists. They will use NFS/iSCSI/NBD/usbip, etc. for accessing disks and other hardware devices on a dedicated host for device sharing. Sure disks and other traffic will be encrypted on hosts free of external blobed hardware devices.

Also a hardware cryptotoken will be used to keep private keys.  Which one would you suggest? Nitrokey Pro 2 or FST-01 ?

Last edited by alupoj (2019-06-16 02:42:32)

Offline

#31 2019-06-15 16:13:03

chris2be8
Member
Registered: 2018-08-11
Posts: 63  

Re: The most secure hardened kernel

If OpenBSD people say GNU sources have invisible backdoors just ask them to point out some of them that have been found (or provide other proof that they exist). If they can't provide any evidence you can safely assume they are just scare stories.

The beauty of having the source code is that it's almost impossible to hide a backdoor in it that no one can find. Admittedly the compiler could be rigged to insert a backdoor when certain programs are compiled, but even that can be found by disassembling the compiler or the backdoored program.

Chris

Offline

#32 2019-06-20 19:05:43

GNUser
Member
Registered: 2017-03-16
Posts: 489  

Re: The most secure hardened kernel

For what it's worth, I find FSF/GNU and OpenBSD folks equally trustworthy. They bicker a lot over licensing, style, and other fine points, but the fact that both camps insist on source code being available tells me they have nothing to hide.

Unless a person decides he will become an island to himself and use only his own products, we have no choice but to trust others. So the question is not whether to trust, but who to trust. When it comes to software, I completely trust the FSF/GNU and OpenBSD folks (unless they are talking about each other smile).

Last edited by GNUser (2019-06-20 19:12:09)

Offline

#33 2019-07-08 03:18:52

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Head_on_a_Stick wrote:

I wouldn't use Linux for anything important, OpenBSD is my preferred choice for serious stuff.

What do you think about possibility to run a modern OpenBSD or other BSD like hardenedBSD on a very old notebook like based on Intel Pentium 1 MMX (production year about 1997). There are some models with up to 40-80 MEGAbytes  of RAM. I guess their BIOSes are too small to inject trojans into such machines and CPUs themselves are too old having too obsolete backdoors hardly suitable for modern intrusion methods.

According to:
https://web.archive.org/save/https://ww … uirements/

It shall be possible.

I need just a secure textual console for SSH to my own servers to avoid at least third parties to stole my private keys from my textual workstation ( I know there are a lot of other attack vectors including hardware backdoors in the servers them selves).

Does OpenBSD have any support for cryptographic tokens like NitroKey Pro 2 or FST-01 except via Linux compatibility layer which is currently disabled in modern OpenBSD releases?

Even modern Linux can run even on previous generation of hardware like Intel 486:
https://web.archive.org/web/20180617174 … too-on-486

And I know BSD kernels are famous for ability to run on very low memory machines compared to Linux.

May be BSD kernel shall be recompiled to disable not needed spare kernel parts/modules to avoid them consuming  deficit RAM?

Saved this message:
https://web.archive.org/web/20190708064 … d=2818&p=2

Last edited by alupoj (2019-07-08 06:49:55)

Offline

#34 2019-07-08 14:05:38

Panopticon
Member
Registered: 2018-01-27
Posts: 306  

Re: The most secure hardened kernel

^ what about hardware ageing, anything from the computer world in 1997 is going to have its limitations on hardware viability depending on what it is and how well it was looked after. A good youtube channel i often watch who delves into old machines is one called LGR (lazy game reviews) https://www.youtube.com/channel/UCLx053 … WsBETgdKrQ

It is an interesting subject, i am inclined to think that software now like openbsd 6.5 would have some sort of limitation on working with anything from 1997, maybe if you were able to get earlier versions of openbsd would be better perhaps?

Offline

#35 2019-07-08 15:43:02

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 316  
Website

Re: The most secure hardened kernel

Panopticon wrote:

i am inclined to think that software now like openbsd 6.5 would have some sort of limitation on working with anything from 1997, maybe if you were able to get earlier versions of openbsd would be better perhaps?

OpenBSD is very good at maintaining support for older hardware because they don't try to cram new features into their kernel as fast as possible, unlike the Linux kernel which suffers regressions on an unfortunately regular basis.

@OP: your questions about OpenBSD are off-topic for these boards, perhaps open a thread over at daemonforums.org instead.


Fabricando fit faber

Offline

#36 2019-07-08 15:53:37

Panopticon
Member
Registered: 2018-01-27
Posts: 306  

Re: The most secure hardened kernel

^ not very good at nvidia support though.

I have an old amd toshiba laptop that is about 12 years old i am going to see if i can get running with openbsd, i just need a new battery pack for it.  Back in 1997 i think i was using win95 on a gateway ibm clone or some such.

Offline

#37 2019-07-08 16:01:24

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Head_on_a_Stick wrote:

@OP: your questions about OpenBSD are off-topic for these boards, perhaps open a thread over at daemonforums.org instead.

I am not sure if it is offtopic or not, I wonder how to securely attach USB devices to an ancient Notebook without USB support.

Linux has an USBIP service to passthrough physical USB devices via TCP/IP network.
http://usbip.sourceforge.net/

How can I link OpenBSD client to Linux USB device server via TCP/IP?

For example I can run Devuan on a single board like OrangePI or Olinuxino with Ethernet and USB interfaces and connect Nitrokey Pro 2 to it directly by USB. Then I would like to teleport USB Nitrokey to OpenBSD ancient notebook which has only an old 16bit PCMCIA ethernet card. Though such slot is NOT compatible with CardBus specification required for USB cards, I see it as a security advantage because old PCMCIA does not support DMA (sometimes hijacked by malicious USB devices).

PCMCIA Standard Releases 2.0-2.1 (1991-1994)
A series of updates to the standard the provided specifications for I/O, dual-voltage memory cards, improvements in CIS and software interface (Card Services Specification).

PC Card Standard (February 1995)
Added information to improve compatibility, support for 3.3 volt operation, DMA support and 32-bit CardBus

So I conclude that old 16bit PCMCIA ethernet cards like this have not DMA access to computer RAM and cannot readout crypto keys by their blobed firmware unlike all modern cards.

Actually TCP/IP network can be built even on top of RS232 channel which may be even more secure than blobed ethernet card firmware. May be a short cable (like a few centimeters) for connection between notebook and single board can make it more secure?

Though I guess such method is not good enough from security point of view in terms of all Ethernet traffic can leak over side channels like radio emission. But at least if token does private key operations by itself without private key extraction outside the token then only temporary SSH session keys can be leaked via radio channel produced by Ethernet "antenna".

Last edited by alupoj (2019-07-08 16:20:36)

Offline

#38 2019-07-08 16:32:35

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 316  
Website

Re: The most secure hardened kernel

Panopticon wrote:

not very good at nvidia support though

AFAIUI the OpenBSD devs refuse to provide a nouveau equivalent (or port it from Linux) because that would only encourage those NVIDIA bastards to continue providing no support at all to the open source community.

alupoj wrote:

I am not sure if it is offtopic or not, I wonder how to securely attach USB devices to an ancient Notebook without USB support.

Well this thread is about secure kernels so USB connections are not at all within that brief.


Fabricando fit faber

Offline

#39 2019-07-08 16:38:08

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Head_on_a_Stick wrote:

Well this thread is about secure kernels so USB connections are not at all within that brief.

One of the problems with security IMHO is that hardware shall be secure too to avoid intrusions even into a very secure kernel. And I need USB to passthrough Nitrokey used for security purposes.

Last edited by alupoj (2019-07-08 16:38:34)

Offline

Board footer