Merge pull request #53802 from delroth/kernel-randstruct

Use a deterministic seed for kernel RANDSTRUCT, and re-enable in hardened kernels
2024-09-20 20:39:04 +02:00 · 2019-01-11 14:49:33 +00:00 · 2019-01-11 14:49:33 +00:00 · 11cd6aeb0c
parent c1a13108e2 b26c824da3
commit 11cd6aeb0c
3 changed files with 34 additions and 1 deletions
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@ -125,6 +125,11 @@ ${optionalString (versionAtLeast version "4.20") ''
  GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin
 ''}

+${optionalString (versionAtLeast version "4.13") ''
+  GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin
+  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y
+''}
+
 # Disable various dangerous settings
 ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
 PROC_KCORE n # Exposes kernel text image layout
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@ -88,7 +88,10 @@ let

      inherit src;

-      patches = map (p: p.patch) kernelPatches;
+      patches =
+        map (p: p.patch) kernelPatches
+        # Required for deterministic builds along with some postPatch magic.
+        ++ optional (stdenv.lib.versionAtLeast version "4.13") ./randstruct-provide-seed.patch;

      prePatch = ''
        for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do
@ -99,6 +102,19 @@ let
        sed -i scripts/ld-version.sh -e "s|/usr/bin/awk|${buildPackages.gawk}/bin/awk|"
      '';

+      postPatch = ''
+        # Set randstruct seed to a deterministic but diversified value. Note:
+        # we could have instead patched gen-random-seed.sh to take input from
+        # the buildFlags, but that would require also patching the kernel's
+        # toplevel Makefile to add a variable export. This would be likely to
+        # cause future patch conflicts.
+        if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then
+          substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \
+            --replace NIXOS_RANDSTRUCT_SEED \
+            $(echo ${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
+        fi
+      '';
+
      configurePhase = ''
        runHook preConfigure

--- a/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch
+++ b/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch
@ -0,0 +1,12 @@
+diff -ru a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/gen-random-seed.sh
+--- a/scripts/gcc-plugins/gen-random-seed.sh	2019-01-11 11:50:29.228258920 +0100
+++ b/scripts/gcc-plugins/gen-random-seed.sh	2019-01-11 12:18:33.555902720 +0100
+@@ -2,7 +2,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ 
+ if [ ! -f "$1" ]; then
+-	SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
+	SEED="NIXOS_RANDSTRUCT_SEED"
+ 	echo "const char *randstruct_seed = \"$SEED\";" > "$1"
+ 	HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'`
+ 	echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"