| <html devsite> |
| <head> |
| <title>Kernel Hardening</title> |
| <meta name="project_path" value="/_project.yaml" /> |
| <meta name="book_path" value="/_book.yaml" /> |
| </head> |
| <body> |
| <!-- |
| Copyright 2017 The Android Open Source Project |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <p> |
| Android 8.0 added kernel hardening features to help mitigate kernel |
| vulnerabilities and find bugs in kernel drivers. The features are in <a |
| href="https://android.googlesource.com/kernel/common/">kernel/common</a> in |
| branches android-3.18, android-4.4, and android-4.9. |
| </p> |
| <h2 id="implementation">Implementation</h2> |
| <p> |
| To acquire these features, device manufacturers and SOCs should merge all |
| hardening patches from <code>kernel/common</code> to their kernel tree and |
| enable the following kernel configuration options: |
| </p> |
| <ul> |
| <li>Hardened usercopy: <code>CONFIG_HARDENED_USERCOPY=y</code></li> |
| <li>PAN emulation - arm64: <code>CONFIG_ARM64_SW_TTBR0_PAN=y</code></li> |
| <li>PAN emulation - arm: <code>CONFIG_CPU_SW_DOMAIN_PAN=y</code></li> |
| <li>KASLR - 4.4 and later kernels: |
| <code>CONFIG_RANDOMIZE_BASE=y</code></li> |
| </ul> |
| <p> |
| KASLR also requires bootloader support for passing hardware entropy through |
| either the device tree node <code>/chosen/kaslr-seed</code> or by implementing |
| <code>EFI_RNG_PROTOCOL</code>. |
| </p> |
| <p> |
| Also ensure existing hardening features are enabled: |
| </p> |
| <ul> |
| <li>Stack buffer overflow mitigation: |
| <code>CONFIG_CC_STACKPROTECTOR_STRONG=y</code></li> |
| <li>Internal memory protection: <code>CONFIG_DEBUG_RODATA=y</code> or |
| <code>CONFIG_STRICT_KERNEL_RWX=y</code></li> |
| <li>Restrict user-space access from kernel - x86 (enabled by default): |
| <code>CONFIG_X86_SMAP=y</code></li> |
| </ul> |
| <h2 id="testing">Testing</h2> |
| <p> |
| To test your implementation, add <code>CONFIG_LKDTM=y</code> to the kernel |
| configuration and confirm that each of the following commands lead to a kernel |
| panic: |
| </p> |
| |
| <pre class="devsite-click-to-copy"> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo ACCESS_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo WRITE_RO > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo WRITE_RO_AFTER_INIT > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo WRITE_KERN > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo EXEC_STACK > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo EXEC_RODATA > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo EXEC_KMALLOC > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo EXEC_VMALLOC > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo CORRUPT_STACK > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| </pre> |
| <p> |
| <strong>For android-4.9:</strong> |
| </p> |
| |
| <pre class="devsite-click-to-copy"> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo USERCOPY_HEAP_SIZE_TO > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| <code class="devsite-terminal" data-terminal-prefix="# ">echo USERCOPY_HEAP_SIZE_FROM > /sys/kernel/debug/provoke-crash/DIRECT</code> |
| </pre> |
| |
| <h2 id="common-issues">Common issues</h2> |
| <p> |
| These changes are likely to expose bugs in kernel drivers, which need to be |
| fixed either by the device manufacturer or the owner of the kernel driver. |
| </p> |
| <ul> |
| <li>Hardened usercopy exposes incorrect bounds checking when copying data |
| to/from user space. These should be fixed like any other memory corruption bugs.</li> |
| <li>PAN emulation exposes direct user space access from the kernel, which is not |
| allowed. Drivers attempting to access user space memory need to be changed to |
| use the standard <code>copy_to_user()</code>/<code>copy_from_user()</code> |
| functions instead.</li> |
| </ul> |
| </body> |
| </html> |