Kernel Hardening: Linux Kernel Runtime Guard

Import the Linux Kernel Runtime Guard (LKRG) from OpenWall by Adam Zabrocki and and Alex Peslyak. LKRG provides additional tiers of mitigation by actively hashing and validating kernel memory regions, further restricting access to common LPE and escape vectors, as well as mechanisms for modifying the running kernel commonly used to bypass LSMs. LKRG can be built directly into the kernel to provide enforcement from early-boot, but should be deployed as a module initially while tunables and operational stability are ironed out and validated on this platform. More information is available at the projects homepage: https://www.openwall.com/lkrg/ and in their source repo: https://github.com/openwall/lkrg
sonic-net · Apr 19, 2021 · 6e62be4 · 6e62be4
1 parent a32997c
commit 6e62be4
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/patch/0000-Linux-Kernel-Runtime-Guard.patch b/patch/0000-Linux-Kernel-Runtime-Guard.patch
@@ -0,0 +1,25 @@
+diff --git i/security/Kconfig w/security/Kconfig
+index 0d798a1f4..f53076cd1 100644
+--- i/security/Kconfig
++++ w/security/Kconfig
+@@ -321,6 +321,7 @@ source security/loadpin/Kconfig
+ source security/yama/Kconfig
+
+ source security/integrity/Kconfig
++source security/lkrg/Kconfig
+
+ choice
+ 	prompt "Default security module"
+diff --git i/security/Makefile w/security/Makefile
+index 507ac8c52..c2a7493be 100644
+--- i/security/Makefile
++++ w/security/Makefile
+@@ -33,3 +33,8 @@ obj-$(CONFIG_INTEGRITY)			+= integrity/
+
+ # Allow the kernel to be locked down
+ obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
++
++# LKRG file list
++subdir-$(CONFIG_SECURITY_LKRG)         += lkrg
++obj-$(CONFIG_SECURITY_LKRG)            += lkrg/
++