From 1b9bf8fa7559d1bbf030f3fe3513d25eada65a41 Mon Sep 17 00:00:00 2001 From: Pierre Bourdon Date: Fri, 11 Jan 2019 12:32:53 +0100 Subject: [PATCH 1/2] kernel: make the RANDSTRUCT seed deterministic --- .../os-specific/linux/kernel/manual-config.nix | 18 +++++++++++++++++- .../linux/kernel/randstruct-provide-seed.patch | 12 ++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 6adc3a33bb0..4b570c1fe94 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -88,7 +88,10 @@ let inherit src; - patches = map (p: p.patch) kernelPatches; + patches = + map (p: p.patch) kernelPatches + # Required for deterministic builds along with some postPatch magic. + ++ optional (stdenv.lib.versionAtLeast version "4.13") ./randstruct-provide-seed.patch; prePatch = '' for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do @@ -99,6 +102,19 @@ let sed -i scripts/ld-version.sh -e "s|/usr/bin/awk|${buildPackages.gawk}/bin/awk|" ''; + postPatch = '' + # Set randstruct seed to a deterministic but diversified value. Note: + # we could have instead patched gen-random-seed.sh to take input from + # the buildFlags, but that would require also patching the kernel's + # toplevel Makefile to add a variable export. This would be likely to + # cause future patch conflicts. + if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then + substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \ + --replace NIXOS_RANDSTRUCT_SEED \ + $(echo ${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n') + fi + ''; + configurePhase = '' runHook preConfigure diff --git a/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch b/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch new file mode 100644 index 00000000000..1328b9cee3c --- /dev/null +++ b/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch @@ -0,0 +1,12 @@ +diff -ru a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/gen-random-seed.sh +--- a/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 11:50:29.228258920 +0100 ++++ b/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 12:18:33.555902720 +0100 +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: GPL-2.0 + + if [ ! -f "$1" ]; then +- SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` ++ SEED="NIXOS_RANDSTRUCT_SEED" + echo "const char *randstruct_seed = \"$SEED\";" > "$1" + HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'` + echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2" From b26c824da3d982beb46384b9d75421b9635878d4 Mon Sep 17 00:00:00 2001 From: Pierre Bourdon Date: Tue, 8 Jan 2019 12:15:05 +0100 Subject: [PATCH 2/2] Revert "Revert "Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT""" The issue with out-of-tree modules has been addressed and the feature should now be good to re-enable again. This reverts commit 865f7a14b49786a2ed55c5ecf3e994f6a3099e8c. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 4fadd447654..ed540a9e751 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -125,6 +125,11 @@ ${optionalString (versionAtLeast version "4.20") '' GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin ''} +${optionalString (versionAtLeast version "4.13") '' + GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y +''} + # Disable various dangerous settings ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory PROC_KCORE n # Exposes kernel text image layout