Kicksecure/Whonix security-misc boot time kernel parameters missing #9570
Comments
hoppity2
added
P: default
|
@adrelanos Tagging Patrick as it's relevant, this is a Qubes-Whonix related issue. |
|
This is very much expected - if a qube's kernel is provided by dom0 (the default), kernel parameters are set in dom0 (kernelopts property). If qube wants to control its own kernel (including kernel options), there is the "(provided by qube)" option (that you found already). @adrelanos would you like for Whonix to use kernel from within qube by default? |
|
Ok, but as a user who knows security-misc is installed I would expect all of those hardening settings to apply. Also it would be good if all of those hardening settings did apply. This functionality should be documented, as it's not something the user would expect and people are lacking that extra security hardening. Anyway a partial work around is to add those parameters into the Dom0 VM KernelOpts, though as noted not all of them can fit it, max 512 chars. |
I would appreciate very much if #5212 was implemented and if Qubes in-VM kernel would become Qubes default (for Debian templates). However, only doing this for Qubes-Whonix might be troublesome. This is problematic because it would derivate from Qubes Debian kernel default kernel. This is unmaintainable, because if there are Qubes VM kernel specific crashes, issues, then these would be reported by users to Whonix where I would have no possibility to debug these except saying "please reproduce this in Qubes Debian and report the bug to Qubes". |
|
Ok, thanks for the responses. I'm doubtful much progress would be made on #5212 anytime soon as the kernel is reliability critical. @marmarek what would you suggest so I can enable all of the security-misc kernel boot time hardening options (I can manually workout and test to which ones work)? Again with my suggestion of increasing the length of the kernel opts VM attribute. |
That's not going to happen anytime soon because it's problematic for VMs with PCI devices (especially when using Debian kernel, due to old wifi drivers, but there are also other factors like significantly slower boot time in HVM mode). But those issues do not apply to Whonix, so it could be used there. |
|
Given this excellent news to me...
Yes, please. That would fix a lot of issues. |
How to file a helpful issue
Qubes OS release
Qubes 4.2
Brief summary
The added kernel boot parameters from Kicksecure's/Whonix's security-misc don't get added to the kernel upon VM boot.
Steps to reproduce
These can be reproduced in the templates as well as other VMs in general, but I'll just use template VMs here for simplicity.
/etc/default/grub.d, in particular40_cpu_mitigations.cfgand40_kernel_hardening.cfg.ls /etc/default/grub.dsudo journalctl -rsearch for the start of the boot in the logs (search for:Command line:).(provided by qube). Apply this. You may need to change the HVM virtualization to get it to boot./etc/default/grub.dare present.For example:
Command line: root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 clocksource=tsc xen_scrub_pages=0 swiotlb=2048 apparmor=1 security=apparmorCommand line: root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 clocksource=tsc xen_scrub_pages=0 swiotlb=2048 apparmor=1 security=apparmorCommand line: root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 clocksource=tsc xen_scrub_pages=0 swiotlb=2048 apparmor=1 security=apparmorCommand line: root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 clocksource=tsc xen_scrub_pages=0 swiotlb=2048 apparmor=1 security=apparmorCommand line: BOOT_IMAGE=/boot/vmlinuz-6.1.0-27-amd64 root=/dev/mapper/dmroot ro xen_scrub_pages=0 root=/dev/mapper/dmroot console=tty0 console=hvc0 swiotlb=8192 noresume clocksource=tsc mitigations=auto,nosmt nosmt=force spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force l1d_flush=on mmio_stale_data=full,nosmt retbleed=auto,nosmt gather_data_sampling=force reg_file_data_sampling=on slab_nomerge slab_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off kfence.sample_interval=100 vdso32=0 amd_iommu=force_isolation intel_iommu=on iommu=force iommu.passthrough=0 iommu.strict=1 efi=disable_early_pci_dma random.trust_bootloader=off random.trust_cpu=off extra_latent_entropy loglevel=0 quietExpected behavior
If I install security-misc or if it's already installed the kernel boot parameters are applied irrespective if you are using a kernel in the template or one provided by Dom0.
Actual behavior
When using the Dom0 provided kernel in a VM it doesn't apply the security-misc's kernel parameters located in
/etc/default/grub.d.A workaround for this is to simply copy the boot params into Dom0 and set them with
qvm-prefs [VM NAME] kernelopts "[KERNEL PARAMS]". However unfortunately kernelopts can only hold up to a maximum of 512 characters, so there isn't enough characters to fit them all in, for future proofing in the meantime perhaps increase this up to say 5120 characters.Other
Searched on Qubes issues and Kicksecure security-misc issues, couldn't find a similar issue.
The text was updated successfully, but these errors were encountered: