From 19fac127e63de01471d1b551c14cf8aa87637e41 Mon Sep 17 00:00:00 2001
From: Marta Rybczynska <marta.rybczynska@huawei.com>
Date: Tue, 25 May 2021 07:45:41 +0200
Subject: [PATCH] linux-yocto: Add kernel hardening by default

Add kernel hardening options based on the Kernel Self Protection Project
recommendations [1] and set them in the default kernel.

[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
 .../recipes-kernel/linux/linux-yocto-all.inc    |  9 +++++++++
 .../linux/linux/hardening_allocator.cfg         | 10 ++++++++++
 .../linux/linux/hardening_allocator_perf.cfg    | 15 +++++++++++++++
 .../linux/linux/hardening_disable_misc.cfg      | 12 ++++++++++++
 .../linux/linux/hardening_dmesg.cfg             |  6 ++++++
 .../linux/linux/hardening_fortify_source.cfg    |  7 +++++++
 .../linux/linux/hardening_memory.cfg            | 10 ++++++++++
 .../linux/linux/hardening_oops.cfg              |  7 +++++++
 .../linux/linux/hardening_usercopy.cfg          |  8 ++++++++
 .../linux/linux/hardening_validation_checks.cfg | 17 +++++++++++++++++
 10 files changed, 101 insertions(+)
 create mode 100644 meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator.cfg
 create mode 100644 meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg
 create mode 100644 meta-ohos-core/recipes-kernel/linux/linux/hardening_disable_misc.cfg
 create mode 100644 meta-ohos-core/recipes-kernel/linux/linux/hardening_dmesg.cfg
 create mode 100644 meta-ohos-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg
 create mode 100644 meta-ohos-core/recipes-kernel/linux/linux/hardening_memory.cfg
 create mode 100644 meta-ohos-core/recipes-kernel/linux/linux/hardening_oops.cfg
 create mode 100644 meta-ohos-core/recipes-kernel/linux/linux/hardening_usercopy.cfg
 create mode 100644 meta-ohos-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg

diff --git a/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc b/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc
index 81334c2d..0db2de8e 100644
--- a/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc
+++ b/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc
@@ -5,6 +5,15 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
 
 SRC_URI += "file://misc.cfg"
+SRC_URI += "file://hardening_allocator.cfg"
+SRC_URI += "file://hardening_allocator_perf.cfg"
+SRC_URI += "file://hardening_disable_misc.cfg"
+SRC_URI += "file://hardening_dmesg.cfg"
+SRC_URI += "file://hardening_fortify_source.cfg"
+SRC_URI += "file://hardening_memory.cfg"
+# SRC_URI += "file://hardening_oops.cfg"
+SRC_URI += "file://hardening_usercopy.cfg"
+SRC_URI += "file://hardening_validation_checks.cfg"
 
 # For the gcc-plugins build of the kernel we need to ensure the right include
 # path for headers is picked up to use the natively build dependencies.
diff --git a/meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator.cfg b/meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator.cfg
new file mode 100644
index 00000000..918b9b09
--- /dev/null
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator.cfg
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Randomize freelist order. Reduces predictability of the kernel slab allocator
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_FREELIST_HARDENED=y
+#
+# Randomize the page allocator. Can improve performance
+CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
diff --git a/meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg b/meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg
new file mode 100644
index 00000000..254845e0
--- /dev/null
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg
@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Fill pages with poison when freed. Requires page_poison=1 at the kernel boot
+CONFIG_PAGE_POISONING=y
+CONFIG_PAGE_POISONING_NO_SANITY=y
+CONFIG_PAGE_POISONING_ZERO=y
+#
+# Zero memory when allocated. Can disable with init_on_alloc=0 on the kernel boot
+# Might have performance impact
+CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
+# Zero memory when freed. Can disable with init_on_free=0 on the kernel boot
+# Can have performance impact
+CONFIG_INIT_ON_FREE_DEFAULT_ON=y
diff --git a/meta-ohos-core/recipes-kernel/linux/linux/hardening_disable_misc.cfg b/meta-ohos-core/recipes-kernel/linux/linux/hardening_disable_misc.cfg
new file mode 100644
index 00000000..2f7b3ea0
--- /dev/null
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_disable_misc.cfg
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Make sure heap randomization is enabled
+# CONFIG_COMPAT_BRK is not set
+
+# Remove /proc/kcore
+# CONFIG_PROC_KCORE is not set
+
+# Disable wrapped binary formats
+# CONFIG_BINFMT_MISC is not set
diff --git a/meta-ohos-core/recipes-kernel/linux/linux/hardening_dmesg.cfg b/meta-ohos-core/recipes-kernel/linux/linux/hardening_dmesg.cfg
new file mode 100644
index 00000000..b03fa4ec
--- /dev/null
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_dmesg.cfg
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Restict unprivlidged users from reading the kernel dmesg
+CONFIG_SECURITY_DMESG_RESTRICT=y
diff --git a/meta-ohos-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg b/meta-ohos-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg
new file mode 100644
index 00000000..0a4ce1c3
--- /dev/null
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Detect buffer overflows on string and memory functions, when the compiler
+# can verify the buffer sizes
+CONFIG_FORTIFY_SOURCE=y
diff --git a/meta-ohos-core/recipes-kernel/linux/linux/hardening_memory.cfg b/meta-ohos-core/recipes-kernel/linux/linux/hardening_memory.cfg
new file mode 100644
index 00000000..81ca6b12
--- /dev/null
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_memory.cfg
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Report dangerous memory permissions W+X (write+execute) at boot time
+# Output is in the dmesg log
+CONFIG_DEBUG_WX=y
+
+# Disable access to all memory for root
+# CONFIG_DEVMEM is not set
diff --git a/meta-ohos-core/recipes-kernel/linux/linux/hardening_oops.cfg b/meta-ohos-core/recipes-kernel/linux/linux/hardening_oops.cfg
new file mode 100644
index 00000000..8a31e870
--- /dev/null
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_oops.cfg
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Always panic when get an oops
+CONFIG_PANIC_ON_OOPS=y
+CONFIG_PANIC_TIMEOUT=-1
diff --git a/meta-ohos-core/recipes-kernel/linux/linux/hardening_usercopy.cfg b/meta-ohos-core/recipes-kernel/linux/linux/hardening_usercopy.cfg
new file mode 100644
index 00000000..ed14f4a2
--- /dev/null
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_usercopy.cfg
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Perform boundary checks on memory when copying to/from the kernel.
+# Also disable whitelisting with the above check
+CONFIG_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
diff --git a/meta-ohos-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg b/meta-ohos-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg
new file mode 100644
index 00000000..3f6f7343
--- /dev/null
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg
@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Needed for CONFIG_SCHED_STACK_END_CHECK
+CONFIG_DEBUG_KERNEL=y
+
+# Validate common data structures
+# add CONFIG_DEBUG_CREDENTIALS=y
+CONFIG_DEBUG_NOTIFIERS=y
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_SG=y
+
+# Do a BUG() if a data corruption is detected
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+# Check stack overflow when calling schedule()
+CONFIG_SCHED_STACK_END_CHECK=y
-- 
GitLab