The officially official Devuan Forum!

You are not logged in.

#1 2019-04-30 12:11:42

alupoj
Member
Registered: 2019-01-25
Posts: 80  

The most secure hardened kernel

Dear Friends,

Please let me know, what are my options today for a secured kernel?

1) Can I use a relatively old kernel v4.9 with a recent level of userspace like Beowulf testing or even newer?

I guess HEADS linux just does it?
https://heads.dyne.org/

How can I compile ZFS on a libre+grsec kernel?
I was not able to compile ZFS even on libre only kernel (without grsec) and grsec only (without libre = grsec with blobs)

If above will be somehow done, is it possible to do the same for ARM Cortex A7/A53? Are these CPUs immune for Spectre?

2) Is kFreeBSD kernel a customized version for Linux user space?
It cannot be replaced by a general FreeBSD kernel?
I am thinking about HardenedBSD. Shall it be ported specifically as a kFreeBSD kernel to Debian/Devuan?
Will ZFS work?

3) Can I use in Devuan a Linux kernel from another distro like Alpine, Pentoo, Gentoo hardened, etc. ?

4) How can I remove BLOBS from a general non libre kernel?
Since people think firmwares and microcode anyway are already present in devices it is OK to update them. But I do not think so, since BLOBS in distro are more recent modern and up to date, they may contain more advanced modern backdoors which did not exist 10 years ago when some my hardware was produced. So avoiding firmware updates and any other BLOBs can be beneficial in my opinion.

5) It seems HardenedBSD has a fix for Spectre mitigation. Will it work for guests too in ZONEs and /or BHYVE on a HBSD host?
Is following config secure?
HOST:    Libreboot -> HardenedBSD -> BHYVE
GUEST:  Devuan with a hardened grsecurity kernel v4.9 latest ?
GUEST2: Can I run a nested KVM VM?

Will such Devuan guests be isolated good enough from each other and from host RAM and prevented to read not their RAM areas?

6) Is HardenedBSD much more secure than an Illumos based os like a SmartOS?

7) Do old Intel CPUs like Core 2 Quad Q9500 Yorkfield  have flash memory for microcode?
So once booted into a Live CD like SystemRescueCD they are flashed with a modern microcode and power off does not reset this?
Is it possible to revert microcode version to initial level?

Last edited by alupoj (2019-04-30 12:35:02)

Offline

#2 2019-04-30 17:43:33

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

I guess hardware assisted virtualization of guest will not be protected by hardened kernel of host. But what about using slow Bochs emulation on a HardenedBSD kernel which is stated to mitigate Spectre issues?

HardenedBSD -> Bochs full X86 emulator -> Linux with Grsecurity

What CPU shall be used for a fare performance of just general CLI software utilities like PGP, SSH, etc.  in the guest?

Is Bochs a completely user space app without own kernel modules?
If it is not available directly for FreeBSD, then may be it can be run in a linux compatibility layer of FreeBSD?

Last edited by alupoj (2019-04-30 17:57:41)

Offline

#3 2019-04-30 20:32:37

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: The most secure hardened kernel

OK, I can't really answer all of your questions (nor am I qualified to do so but that doesn't usually stop me) but I can raise some points.

alupoj wrote:

what are my options today for a secured kernel?

There is a hardening-runtime package in beowulf/ceres that adds sysctl & kernel command line options recommended by the kernel self-protection project that should make the system significantly more secure but note that the sysctl options are applied by a systemd unit file, which won't work in Devaun, so you will have to add them manually instead.

In other distributions, Arch Linux have a linux-hardened kernel version and Parabola GNU/Linux-Libre have a linux-libre-xtreme kernel that also has a "hardened" configuration.

alupoj wrote:

Can I use a relatively old kernel v4.9 with a recent level of userspace like Beowulf testing or even newer?

I would think so, yes, the kernel is fairly self-contained.

But don't run an unsupported kernel version, new vulnerabilities are discovered all the time.

alupoj wrote:

How can I compile ZFS on a libre+grsec kernel?

I don't know but have you got a recent grsec version?

The current grsec configuration is only available at a monetary cost, Alpine Linux dropped their grsec kernel version because they believed applying the last freely-available patches to a current kernel version was not a good approach:

https://lists.alpinelinux.org/alpine-devel/5626.html

And in respect of ZFS, the codebase for that filesystem alone is bigger than the code for the entire OpenBSD base system so the attack surface is *huge* and IMO it is not a good choice for the security-conscious user.

alupoj wrote:

is it possible to do the same for ARM Cortex A7/A53? Are these CPUs immune for Spectre?

No, they are not:

https://developer.arm.com/support/arm-s … nerability

They have mitigations in place under Linux though (as does the x86 architecture).

alupoj wrote:

Can I use in Devuan a Linux kernel from another distro like Alpine, Pentoo, Gentoo hardened, etc. ?

Try it and see :-)

Probably better to copy the configuration and roll your own though (compiled under whichever operating system you are using).

alupoj wrote:

How can I remove BLOBS from a general non libre kernel?

Compile your own version instead.

And anyway are you not worried about the firmware blobs on components that do not update from the operating system?

For example, your hard drive controllers are sufficiently complex to pwn your machine: can you say "Stuxnet"?

alupoj wrote:

It seems HardenedBSD has a fix for Spectre mitigation.

So do Linux & OpenBSD.


Brianna Ghey — Rest In Power

Offline

#4 2019-05-01 02:50:14

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Head_on_a_Stick wrote:

OK, I can't really answer all of your questions (nor am I qualified to do so but that doesn't usually stop me) but I can raise some points.

Thank you very much for your suggestions.

Head_on_a_Stick wrote:

There is a hardening-runtime package in beowulf/ceres that adds sysctl & kernel command line options recommended by the kernel self-protection project that should make the system significantly more secure

Please let me know, where can I see a progress and status of KSPP?
How the latest KSPP does compare to Grsecurity 4.9 and latest?

Head_on_a_Stick wrote:

In other distributions, Arch Linux have a linux-hardened kernel version and Parabola GNU/Linux-Libre have a linux-libre-xtreme kernel that also has a "hardened" configuration.

Are these hardened kernels hardened by KSPP?

Head_on_a_Stick wrote:

But don't run an unsupported kernel version, new vulnerabilities are discovered all the time.

There are opinions that a universal patch like Grsecurity prevents more potential new yet unknown security related problems than many up to date fixes to specific already discovered issues.

Head_on_a_Stick wrote:
alupoj wrote:

How can I compile ZFS on a libre+grsec kernel?

I don't know but have you got a recent grsec version?

No, just v4.9

Head_on_a_Stick wrote:

And in respect of ZFS, the codebase for that filesystem alone is bigger than the code for the entire OpenBSD base system so the attack surface is *huge* and IMO it is not a good choice for the security-conscious user.

Is ZFS still good for remote backups to another host with ZFS via NFS/FTP/iSCSI, etc. ?
Then what FS shall be used on a secured host? Ext3?

Head_on_a_Stick wrote:
alupoj wrote:

is it possible to do the same for ARM Cortex A7/A53? Are these CPUs immune for Spectre?

No, they are not:
https://developer.arm.com/support/arm-s … nerability

I did not find the models I mentioned in your list. These models (A7 and A53) have in order execution without speculative.

Head_on_a_Stick wrote:

And anyway are you not worried about the firmware blobs on components that do not update from the operating system?

Provided hardware does not have flash for keeping last latest update then initial factory firmware can be very old like 10 years old and most likely its backdoors are too obsolete compared to what would be preferred by 3 letter agencies. So IMO it would prevent at least update of backdoors to their modern more advanced variant.

Head_on_a_Stick wrote:

For example, your hard drive controllers are sufficiently complex to pwn your machine: can you say "Stuxnet"?

I guess modern storage like SSD and HDD can have a remote control via radio channel and they can modify data, especially add their own boot loader before loader expected by user. It is in addition to possible attack onto side channel like SATA bus and other buses EMI. It may contain a virtualization trojan in one of unreachable rings of CPU and monitor the whole system RAM and phone to home, may be even by satellite channels, I am not sure how they connect to their management head. May be all internet switches have backdoors to hide some packets or modify them with some hidden data, so that sniffer does not see anything suspicious? Or may be they camouflage in rare DNS queries, I do not know. So the most bad thing about modern storage can be a possibility of remote command to destroy all data. Many other problems can be solved by whole disk encryption for isolation of disk firmware from data on it and ZFS on top of encryption to
constantly verify data consistency.

Storage components are generally the most often upgraded hardware, most desirable by user, having budget even in tough times and therefore can be an attractive place to injects the latest NSA trojan developments even yet on factories.

Head_on_a_Stick wrote:
alupoj wrote:

It seems HardenedBSD has a fix for Spectre mitigation.

So do Linux & OpenBSD.

Is an idea of nesting virtual machines with such different hardened kernels (each with mitigation) good for improving whole security of the system and isolation of guests if full emulation like Bochs is used on each level?

Earlier without kernel mitigation it did not help, even high level browser JavaScript in a guest could escape into hypervisor host RAM.

Last edited by alupoj (2019-05-01 05:23:31)

Offline

#5 2019-05-01 03:11:59

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

A snapshot of this topic:

https://web.archive.org/web/20190501030 … ?pid=15774

Someone already changed my password during I posted this, I had to reset my password.

Offline

#6 2019-05-01 04:40:02

golinux
Administrator
Registered: 2016-11-25
Posts: 3,137  

Re: The most secure hardened kernel

Don't you need a valid PW to change the PW?  Or does this forum have an "I forgot my PW" option?  (Too lazy to log out to see if it's there.)

Offline

#7 2019-05-01 05:21:04

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

golinux wrote:

Don't you need a valid PW to change the PW?  Or does this forum have an "I forgot my PW" option?  (Too lazy to log out to see if it's there.)

Joke? Is password reset used to find a recipient in recent Echelon data to avoid mining deeper into older layers?

Last edited by alupoj (2019-05-01 05:30:09)

Offline

#8 2019-05-01 06:58:01

golinux
Administrator
Registered: 2016-11-25
Posts: 3,137  

Re: The most secure hardened kernel

alupoj wrote:
golinux wrote:

Don't you need a valid PW to change the PW?  Or does this forum have an "I forgot my PW" option?  (Too lazy to log out to see if it's there.)

Joke? Is password reset used to find a recipient in recent Echelon data to avoid mining deeper into older layers?

I have no idea what you're talking about.

Offline

#9 2019-05-01 08:26:03

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

My password changed again by someone smile

Btw, if you look at participants of frenode irc channel #ufo

They are also often on channels like #security, #devuan, #conspiracy, #mempo, #freedomeartch, etc.

Last edited by alupoj (2019-05-01 08:26:42)

Offline

#10 2019-05-01 19:55:10

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: The most secure hardened kernel

alupoj wrote:

where can I see a progress and status of KSPP?

https://git.kernel.org/pub/scm/linux/ke … curity.git

alupoj wrote:

How the latest KSPP does compare to Grsecurity 4.9 and latest?

https://grsecurity.net/compare.php

alupoj wrote:
Head_on_a_Stick wrote:

In other distributions, Arch Linux have a linux-hardened kernel version and Parabola GNU/Linux-Libre have a linux-libre-xtreme kernel that also has a "hardened" configuration.

Are these hardened kernels hardened by KSPP?

I think they use the configurations recommended by the KSPP, check the upstream sources for the details.

For example: https://git.archlinux.org/svntogit/pack … x-hardened

alupoj wrote:

There are opinions that a universal patch like Grsecurity prevents more potential new yet unknown security related problems than many up to date fixes to specific already discovered issues.

That may very well be the case but forward-porting an old patch to a newer kernel is not at all easy to do, may not work properly and might introduce more bugs & vulnerabilities.

This is why Alpine decided to drop their grsec-patched kernel version, see my mailing list link for the discussion.

alupoj wrote:

Then what FS shall be used on a secured host?

OpenBSD's filesystem is probably the most secure smile

For GNU/Linux I really don't know and I'm probably not the best person to ask anyway.

alupoj wrote:

is it possible to do the same for ARM Cortex A7/A53? Are these CPUs immune for Spectre?

Head_on_a_Stick wrote:

I did not find the models I mentioned in your list. These models (A7 and A53) have in order execution without speculative.

Yes, sorry, I was wrong about that.

alupoj wrote:

Is an idea of nesting virtual machines with such different hardened kernels (each with mitigation) good for improving whole security of the system and isolation of guests if full emulation like Bochs is used on each level?

If you want to use hypervisors for isolation then look at Xen instead.

Or vmm(4) smile


Brianna Ghey — Rest In Power

Offline

#11 2019-05-02 03:07:35

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Head_on_a_Stick wrote:

If you want to use hypervisors for isolation then look at Xen instead.

Or vmm(4) smile

It seems XEN has/had problems too:
https://xenbits.xen.org/xsa/advisory-254.html

Offline

#12 2019-05-02 03:42:17

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Head_on_a_Stick wrote:
alupoj wrote:

How the latest KSPP does compare to Grsecurity 4.9 and latest?

https://grsecurity.net/compare.php

I thought it is a comparison to old KSPP.
If it is a modern KSPP then it looks like loosing to Grsecurity very much?

Do underground groups exist who resell up to date releases of Grsecurity patches for a lower price than original with modern kernels in sources? GPL does not prohibit this.

Does Grsecurity company watermark their patches per each client?
I guess some watermarking can be removed by obfuscating and/or removing fragments not influencing on code understanding like comments, whitespaces, etc.

Offline

#13 2019-05-02 18:48:48

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: The most secure hardened kernel

alupoj wrote:

I thought it is a comparison to old KSPP.

The page was updated last year so it is quite old, check the commits to the KSPP repository since then to see if anything has changed.

alupoj wrote:

loosing to Grsecurity very much

Yes indeed, the kernel devs have never been very interested in security-related issues and the KSPP looks like lip-service to me (not that I'm qualified to judge).

I wouldn't use Linux for anything important, OpenBSD is my preferred choice for serious stuff.

alupoj wrote:

Do underground groups exist who resell up to date releases of Grsecurity patches for a lower price than original with modern kernels in sources?

I don't know.

The last freely-available grsec patches don't protect against Spectre or Meltdown so they're useless now.

alupoj wrote:

Does Grsecurity company watermark their patches per each client?

No idea.


Brianna Ghey — Rest In Power

Offline

#14 2019-05-03 02:04:00

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Head_on_a_Stick wrote:

I wouldn't use Linux for anything important, OpenBSD is my preferred choice for serious stuff.

What do you think about LibertyBSD compared to OpenBSD?
The last release they did is 6.1, but there are scripts even for 6.2 and 6.3 in their repository:
https://notabug.org/jadedctrl/libertybsd-scripts-mirror

And what do you think about HardenedBSD  compared to OpenBSD?
https://hardenedbsd.org/content/easy-feature-comparison

I love Devuan+Trinity as my desktop and as an application server.
May be running them in VM guests on secured BSD (Open and/or Hardened) hosts will make my Devuan more secure.

I also thought about Illumos as a VM host but did not find any comparison to HBSD hardening features.

What would be the best for a secure ZFS server providing iSCSI blocks for OpenBSD hosts or guests connected via physical Ethernet? I guess it is HBSD?

OpenBSD encrypted FS -> physical Ethernet -> HBSD with ZFS

Is it possible to manually remove firmware blobs from OpenBSD and HBSD without many scripts like in LibertyBSD? Just not installing non-free packages and remove any blob files like  firmwares from file system? Shall OpenBSD/HBSD kernel still be recompiled to avoid ALL blobs?

Noticable that all actual security patches are refugees from their original distros. I guess sponsors of mainline kernels actually are not interested in too much outstanding security.

They are more interested in being able to steal user's data exclusively via intelligent services instead of providing protection against this smile And that is why OpenBSD is a refugee from NetBSD, HBSD from a FreeBSD and Grsecurity from Linux mainline.

What do you think about security of Talos II hardware platform? It looks like a better option than Libreboot (with blobed firmwares yet) ?
https://www.raptorcs.com/content/base/faq.html
May be if more companies realize problems with security of their data on their current server configs they will purchase more Power9 computers and may be pricing will become more fair due to effect of mass production? More used Talos will be available on ebay.

Last edited by alupoj (2019-05-07 06:30:39)

Offline

#15 2019-05-03 21:42:55

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: The most secure hardened kernel

alupoj wrote:

What do you think about LibertyBSD compared to OpenBSD?

I think their criticisms of the firmware included with OpenBSD are not valid.

AFAIUI, the OpenBSD developers' attitude is that if the user has hardware that needs blobs to function then it should be installed automatically because if the user didn't want this then they wouldn't buy that hardware.

After all, any hardware that doesn't download the firmware from the operating system has the firmware installed at the factory instead so just de-blobbing the operating system does not fix the problem (this also applies to the Libreboot project).

alupoj wrote:

And what do you think about HardenedBSD  compared to OpenBSD?

Yes, HardenedBSD has some neat features but it's based on FreeBSD and the developers of that operating system have the same "features first" attitude as the Linux devs so the changes are a sticking plaster rather than a from-scratch "correct" implementation.

But I'm no expert smile

alupoj wrote:

secure ZFS server

IMO this is an oxymoron due to the complexity of ZFS.

alupoj wrote:

Is it possible to manually remove firmware blobs from OpenBSD and HBSD without many scripts like in LibertyBSD?

Yes, just read their scripts to see what they do smile

alupoj wrote:

Just not installing non-free packages and remove any blob files like  firmwares from file system? Shall OpenBSD/HBSD kernel still be recompiled to avoid ALL blobs?

There are no non-free packages in OpenBSD.

The firmware included in the source tree for OpenBSD is CPU microcode, which is needed to prevent instabilities in the hardware so I don't think removing it would help.

I would be more worried about hard drive controllers and other components that don't upload firmware from the OS.

alupoj wrote:

What do you think about security of Talos II hardware platform?

Yes, I am a big fan of Talos & POWER9, that architecture is much better than the x86 garbage.

If I was in the market for a desktop system then I would buy one of their Blackbird systems in preference to any of that Xeon nonsense.

But the problem of embedded firmware for the other components on the motherboard remains no matter what the hype from Talos may claim...


Brianna Ghey — Rest In Power

Offline

#16 2019-05-07 04:39:58

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Head_on_a_Stick wrote:

The firmware included in the source tree for OpenBSD is CPU microcode, which is needed to prevent instabilities in the hardware so I don't think removing it would help.

I have an Intel Q9500 which is very stable without microcode updates in a Libre kernel,
though just after plugged it  into the socket I experienced many undesirable reboots in 10-100 seconds since powering on my computer each time.

The magic happened after booting into SystemRescueCD which made the whole system super stable even after many further power cycles. I think something was flashed during booting into BLOBed SystemRescueCD, but I don't know what exactly, may be simply a boot sector was modified unnoticed, but I am not sure how it is related with a CPU replacement.

Head_on_a_Stick wrote:

I would be more worried about hard drive controllers and other components that don't upload firmware from the OS.

Cannot disk drive firmwares be isolated by whole encryption of everything (kernel and system root FS and data of course too) when booting from Libreboot+GRUB both flashed into the motherboard and then special chipset register set to disable further flashes during this power cycle? I would prefer to cut a flash chip pin to prohibit its reflashing, but I was told it is not like them work.

alupoj wrote:

What do you think about security of Talos II hardware platform?
Yes, I am a big fan of Talos & POWER9, that architecture is much better than the x86 garbage.

But the problem of embedded firmware for the other components on the motherboard remains no matter what the hype from Talos may claim...

OpenPower9 CPUs still may have secret backdoors and/or trojans injected on the factory though missing in open documentation. Without a Libre Silicon tech process it is hard to discover a backdoor, is it correct? I guess the same applies to any CPU designed say by national militarists but with production outsourced for example to South Korea or to any other factory, may be even a factory on their own territory can be hacked to produce backdoored chips.
To have more confidence of lack of backdoors there shall be a method for verification which is available for example when Libre Silicon is used. You know there are so many strange incidents with different aircraft recently.

Are any Libre Silicon CPUs going to be released and supported on some motherboards any soon?

Last edited by alupoj (2019-05-08 18:42:57)

Offline

#17 2019-05-07 09:00:56

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Black box

Offline

#18 2019-05-08 09:33:32

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

I think that modern hardware with a loadable firmware actually has a flash rom to keep the latest version of code for backdoors and trojans they ever seen from a user loaded.

A firmware can consist of several parts (at least two):
1) a public blob with code for the device to work well, it loads to device volatile RAM
2) a secret blob (as a part of puplic blob) with code for backdoors and trojans, it loads to device flash rom (persistent non-volatile)

So even if another time you run device with an older loadable firmware provided it still runs with the latest backdoors it remembered from another newer loaded earlier firmware.

For example if CPU reports it has an old level of microcode it does not mean it never seen and learned in its flash rom a newer modern trojan BLOB.

This makes people position promoting the latest BLOBs in loaded firmwares (as you have factory firmware anyway) less strong IMHO.

Last edited by alupoj (2019-05-08 09:39:06)

Offline

#19 2019-05-08 17:56:40

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: The most secure hardened kernel

If you're really paranoid about CPU manufacturers then you could buy an FPGA and create an OpenSPARC, POWER9 or RISC-V microarchitecture on the chip, for example:

https://www.microsemi.com/product-direc … n-your-own

Not very practical though smile


Brianna Ghey — Rest In Power

Offline

#20 2019-05-10 07:31:39

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Please let me know, is there on the list:

https://www.openbsd.org/plat.html

a hardware platform open enough to provide a verifiable method to be sure there are no trojans and may be even no backdoors in the hardware and closed firmwares?

What do you think about possibility of backdoors in:
https://www.openbsd.org/armv7.html
?

Some ARM boards are advertised as fully open source working and booting without BLOBs.
For example Olinuxino if I understand it correctly at least without 3D Video.
As another example if I understand correctly Raspberry PI is NOT open source, it requires some closed BLOBs to boot?

Can Olinuxino like board (or may be another brand) work with fully open source software OS like OpenBSD without firmware BLOBs and without closed source drivers?

May be Beaglebone Black is such board?

What about Orange PI? They look very budget.
http://www.orangepi.org/orangepiplus2/
It has a relatively old (which is IMHO good) 4 core Cortex A7 32 bit CPU WITHOUT speculative execution.

What board is secure enough to run OpenBSD just for a terminal console?
Is it secure to use USB ports on such a board to plug crypto tokens like Nitrokey?

Will OpenBSD work with Nitrokey via opensc from OBSD ports?
Will GPG and SSH work on OBSD with Nitrokey encryption?

May be with  a mechanical switch to disconnect keys just after being used to establish a session like SSH?

Is it a good idea to use ZX Spectrum Next (VGA, PC Keyboard) as a serial virtual text terminal to Beaglebone Black running OpenBSD? I guess there shall be less backdoors in resource deficit computer like ZX ?

ZX spectrum or like it -> RS232 -> Beaglebone Black running OBSD with FST-01 attached -> SSH -> managed hosts with hardware tokens like FST-01 attached for keeping private keys

Last edited by alupoj (2019-05-11 02:50:26)

Offline

#21 2019-05-11 15:29:06

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

alupoj wrote:

OpenPower9 CPUs still may have secret backdoors and/or trojans injected on the factory though missing in open documentation. Without a Libre Silicon tech process it is hard to discover a backdoor, is it correct? I guess the same applies to any CPU designed say by national militarists but with production outsourced for example to South Korea or to any other factory, may be even a factory on their own territory can be hacked to produce backdoored chips.
To have more confidence of lack of backdoors there shall be a method for verification which is available for example when Libre Silicon is used. You know there are so many strange incidents with different aircraft recently.

Are any Libre Silicon CPUs going to be released and supported on some motherboards any soon?

An article about adding backdoors to the chips at production phase:
https://www.eecs.umich.edu/cse/awards/p … P_2016.pdf

Offline

#22 2019-05-12 08:29:35

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

Can firmwares of SATA and USB devices access host RAM via DMA? For example to read encryption keys.

Will having a workstation (host) free of devices on any buses except open source Ethernet make it more secure?

Workstation ZFS+Luks -> iSCSI -> a computer used as different buses host, for example as iSCSI target to its local SATA devices.

Can in such case SATA firmwares still access Workstation RAM via iSCSI randomly?

Last edited by alupoj (2019-05-12 08:30:35)

Offline

#23 2019-05-12 15:57:17

chris2be8
Member
Registered: 2018-08-11
Posts: 264  

Re: The most secure hardened kernel

If you need to ask questions like that the three safest options are:

1: Keep it all in your head. And only discuss it face to face when safe from listening devices.

2: Only use pencil and paper etc, not computers.

3: Only use computers that are never connected to the internet at all. And be very careful if you need to copy data from the internet onto them, eg burn it to CD/DVD on an internet connected system, read it on the safe system, then destroy the disk to ensure data can't ever get out.

And think carefully about the threat model if you need to resort to any of the above options.

Chris

Offline

#24 2019-05-12 16:42:46

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: The most secure hardened kernel

^ +1

@OP, I'm far from expert on this subject so I will refrain from answering any more of your questions apart from mentioning that the arm64 OpenBSD port is particularly interesting because the developers have managed to remove all ROP gadgets from their kernel:

https://www.openbsd.org/papers/asiabsdc … -paper.pdf

Last edited by Head_on_a_Stick (2019-05-12 16:43:10)


Brianna Ghey — Rest In Power

Offline

#25 2019-05-12 17:27:02

alupoj
Member
Registered: 2019-01-25
Posts: 80  

Re: The most secure hardened kernel

chris2be8 wrote:

If you need to ask questions like that the three safest options are:

1: Keep it all in your head. And only discuss it face to face when safe from listening devices.

2: Only use pencil and paper etc, not computers.

3: Only use computers that are never connected to the internet at all. And be very careful if you need to copy data from the internet onto them, eg burn it to CD/DVD on an internet connected system, read it on the safe system, then destroy the disk to ensure data can't ever get out.

And think carefully about the threat model if you need to resort to any of the above options.

Chris

Unfortunately according to:

https://forums.gentoo.org/viewtopic-t-1 … rt-25.html

Your suggestions most likely would not help.

I just need to protect information from undesirable modifications.
Most likely it is not possible to protect it from reading today and actually never was possible.

Last edited by alupoj (2019-05-13 09:48:16)

Offline

Board footer