Hardening Options Enabled in Ragnarok's Kernel Build

Ragnarok's build of the Linux kernel enables many hardening options, most of which are recommended by the Kernel Self Protection Project (KSPP)[1].

Ragnarok's build vs Debian's

Ragnarok's kernel is built using the same source as Debian[2] and simply modifies its configuration to enable options not present in Debian's build.

At first glance, the most significant difference is that Ragnarok's kernel is built using the full LLVM/Clang toolchain, and uses control flow integrity[3] and ThinLTO[4].

For the sake of transparency, a diff file showing the differences between Debian and Ragnarok's builds can be viewed here:

https://raw.githubusercontent.com/RagnarokOS/kernel-build/refs/heads/master/config.diff

Hardening Options

The following options are enabled in Ragnarok's kernel. Some of these are also enabled in Debian's build, while others aren't.

• CONFIG_CFI_CLANG=y: enable Control Flow Integrity
• CONFIG_BUG=y: report BUG conditions and kill the offending process
• CONFIG_STRICT_KERNEL_RWX=y: make sure kernel page tables have safe permissions
• CONFIG_DEBUG_RWX=y: report any dangerous memory permissions
• CONFIG_STACKPROTECTOR=y, CONFIG_STACKPROTECTOR_STRONG=y: use fstack-clash-protector-strong for best stack canary coverage CONFIG_STRICT_DEVMEM=y, CONFIG_IO_STRICT_DEVMEM=y: enable strict physical memory access
• CONFIG_SYN_COOKIES=y: provide some protections against SYN flooding CONFIG_DEBUG_CREDENTIALS=y, CONFIG_DEBUG_NOTIFIERS=y, CONFIG_DEBUG_LIST=y, CONFIG_DEBUG_SG=y, CONFIG_DEBUG_VIRTUAL=y, CONFIG_BUG_ON_DATA_CORRUPTION=y, CONFIG_SCHED_STACK_END_CHECK=y: perform additional validation of various commonly targeted structures
• CONFIG_SECCOMP=y, CONFIG_SECCOMP_FILTER=y: reduce syscall attack surface with seccomp BPF API
• # CONFIG_LDISC_AUTOLOAD is not set: make sure line disciplines can't be autoloaded
• CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y: Provide userspace with ptrace ancestry protections
• CONFIG_SECURITY_LANDLOCK: provide userspace with Landlock MAC interface
• CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y: enable "lockdown" LSM for bright line between the root user and kernel memory
• CONFIG_HARDENED_USERCOPY=y: perform usercopy bounds checking
• CONFIG_SLAB_FREELIST_RANDOM=y, CONFIG_SLAB_FREELIST_HARDENED=y: randomize allocator freelists
• CONFIG_SHUFFLE_PAGE_ALLOCATOR=y: allow for randomization of high-order page allocation freelist
• CONFIG_SLUB_DEBUG=y: allow allocator validation checking to be enabled
• CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, CONFIG_INIT_ON_FREE_DEFAULT_ON=y : wipe slab and page allocations
• CONFIG_INIT_STACK_ALL_ZERO=y: initialize all stack variables on function entry
• CONFIG_VMAP_STACK=y: adds guard pages to kernel stacks
• CONFIG_FORTIFY_SOURCE=y: check for memory copoes that might overflow a structure in str*() and mem*() functions both at build-time and run-time
• CONFIG_SECURITY_DMESG_RESTRICT=y: avoid kernel memory address exposures via dmesg
• CONFIG_RANDOMIZE_KSTACK_OFFSET=y, CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y: randomize kernel stack offset on syscall entry
• CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set: force IOMMU TLB invalidation so devices will never be able to access stale data contents
• CONFIG_RANDOM_TRUST_BOOTLOADER=y, CONFIG_RANDOM_TRUST_CPU=y: get as much entropy as possible from external sources
• CONFIG_RANDSTRUCT_FULL=y: randomize the layout of system structures
• CONFIG_SCHED_CORE=y: make scheduler aware of SMT codes
• CONFIG_ZERO_CALL_USED_REGS=y: wipe all caller-used registers on exit
• CONFIG_RESET_ATTACK_MITIGATION=y: wipe RAM at reboot via EFI
• # CONFIG_ACPI_CUSTOM_METHOD is not set: enabling this allows direct physical memory writing
• # CONFIG_COMPAT_BRK is not set: enabling this would disable brk ASLR
• # CONFIG_HIBERNATION is not set: enabling this would allow replacement of running kernel
• # CONFIG_LEGACY_PTYS is not set: use modern PTY interface only
• CONFIG_PANIC_ON_OOPS=y: panic if the kernel experiences an Oops
• CONFIG_PANIC_TIMEOUT=0: allow user to reboot after a kernel panic (useful to read panic message)
• CONFIG_DEBUG_SET_MODULE_RONX=y, CONFIG_STRICT_MODULE_RWX=y, CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, CONFIG_MODULE_SIG_ALL=y, CONFIG_MODULE_SIG_SHA512=y, CONFIG_MODULE_SIG_HASH="sha512", CONFIG_MODULE_SIG_KEY="certs/signing_key.pem": modules must be signed with a per-build key to load
• CONFIG_DEFAULT_MMAP_MIN_ADDR=65536: disallow allocating the first 64k of memory
• CONFIG_RANDOMIZE_BASE=y, CONFIG_RANDOMIZE_MEMORY=y: randomize position of kernel and memory
• CONFIG_LEGACY_VSYSCALL_NONE=y: remove unneeded fixed-position mapping in userspace
• CONFIG_PAGE_TABLE_ISOLATION=y: enable Kernel Page Table Isolation to remove entire class of chache timing side-channels
• CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, CONFIG_AMD_IOMMU_V2=y: enable chip-specific IOMMU support

Trade-off

Unlike Debian's kernel, Ragnarok's build does not support secure boot. Users who prefer using secure boot can use Debian's default kernel instead, and will still benefit from some of the above hardening options via pre set sysctl values and bootloader parameters shipped with the ragnarok-base package.

Links

[1] https://kspp.github.io/Recommended_Settings
[2] https://packages.debian.org/bookworm/linux-source
[3] https://clang.llvm.org/docs/ControlFlowIntegrity.html
[4] https://clang.llvm.org/docs/ThinLTO.html