From 6e62be44652910f31665fdc5b391b44f4a86c400 Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Mon, 19 Apr 2021 11:20:30 -0400 Subject: [PATCH] Kernel Hardening: Linux Kernel Runtime Guard Import the Linux Kernel Runtime Guard (LKRG) from OpenWall by Adam Zabrocki and and Alex Peslyak. LKRG provides additional tiers of mitigation by actively hashing and validating kernel memory regions, further restricting access to common LPE and escape vectors, as well as mechanisms for modifying the running kernel commonly used to bypass LSMs. LKRG can be built directly into the kernel to provide enforcement from early-boot, but should be deployed as a module initially while tunables and operational stability are ironed out and validated on this platform. More information is available at the projects homepage: https://www.openwall.com/lkrg/ and in their source repo: https://github.com/openwall/lkrg --- patch/0000-Linux-Kernel-Runtime-Guard.patch | 25 +++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 patch/0000-Linux-Kernel-Runtime-Guard.patch diff --git a/patch/0000-Linux-Kernel-Runtime-Guard.patch b/patch/0000-Linux-Kernel-Runtime-Guard.patch new file mode 100644 index 000000000..2ee6bbf70 --- /dev/null +++ b/patch/0000-Linux-Kernel-Runtime-Guard.patch @@ -0,0 +1,25 @@ +diff --git i/security/Kconfig w/security/Kconfig +index 0d798a1f4..f53076cd1 100644 +--- i/security/Kconfig ++++ w/security/Kconfig +@@ -321,6 +321,7 @@ source security/loadpin/Kconfig + source security/yama/Kconfig + + source security/integrity/Kconfig ++source security/lkrg/Kconfig + + choice + prompt "Default security module" +diff --git i/security/Makefile w/security/Makefile +index 507ac8c52..c2a7493be 100644 +--- i/security/Makefile ++++ w/security/Makefile +@@ -33,3 +33,8 @@ obj-$(CONFIG_INTEGRITY) += integrity/ + + # Allow the kernel to be locked down + obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o ++ ++# LKRG file list ++subdir-$(CONFIG_SECURITY_LKRG) += lkrg ++obj-$(CONFIG_SECURITY_LKRG) += lkrg/ ++