graphics related options about kernel-hardening-checker HOT 9 CLOSED

You need at least one virtual terminal device in order to make use of your keyboard and monitor. Therefore, only people configuring an embedded system would want to say N here in order to save some memory; the only way to log into such a system is then via a serial or network connection.

Is this comment from CONFIG_VT wrong then?

from kernel-hardening-checker.

This comment hasn't been updated since decades (I checked historical trees ...). Nowadays Xorg and wayland compositors should be able to run without a VT. And kmscon (although abandoned due to lack of interest) can provide you a userspace implementation of VTs if you don't want to run X11 or wayland, using pseudo TTYs (like a terminal emulator).

A paranoid desktop distro imo should really not have VT enabled, and ofc whatever compositor they opt for (wayland, X11, or something like kmscon) needs to be walled in with a container.

But the comment is also correct in that without a userspace compositor you indeed will only be able to log in through the network or serial lines.

from kernel-hardening-checker.

Maybe an addition: If you want multi-user switching without CONFIG_VT then you need something like systemd's logind, so that the (forced) handover of input and output devices works correctly. But the VT subsystem's only role there is as an rpc between compositors, it has 0 functionality to actually force compositors to hand over devices to the next compositor (which is what logind does, using some of the new ioctl calls added specifically for this for both input and drm subsystems).

So if you want actual secure multi-user switching then you should be running with all that new stuff already anyway (and then CONFIG_VT really shouldn't be enabled, to prevent creating a mess).

from kernel-hardening-checker.

Thanks @danvet !
Done: 75bed5d

from kernel-hardening-checker.

Thanks, looks neat. Hopefully this pushes a few more people to make this happen finally.

from kernel-hardening-checker.

@a13xp0p0v Are these enabled in any distros for which you have canned configs?

@danvet I just noticed on the current upstream HEAD:

$ rm .config
$ make defconfig
$ egrep "CONFIG_VT=|CONFIG_FB=" .config
CONFIG_VT=y
CONFIG_FB=y

So that may be the first step :)

from kernel-hardening-checker.

@dvyukov, yes, these are enabled in many distributions:

AOSP_Pixel3A:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   OK
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   OK

AmazonLinux2:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   OK
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "m"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

ubuntu-bionic-generic:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   OK
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

oracle-uek6:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

Archlinux-hardened:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   OK
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

clearlinux-master:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

SLE15:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   OK
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

openSUSE-15.1:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   OK
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

pentoo-livecd:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   OK
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

rhel-8.0:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   OK
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

nixpkgs-linux_hardened:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

debian-buster:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

Alpinelinux-edge:
  CONFIG_DRM_LEGACY    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_FB            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
  CONFIG_VT            | is not set  |maintainer| cut_attack_surface |   FAIL: "y"

from kernel-hardening-checker.

The hyperv framebuffer driver came up on the mailing list recently when I noticed a patch to add support for arm64 and suggested having it converted to DRM. Other hardware-independent drivers that don't seem to have a DRM counterpart at the moment are the UEFI framebuffer that is often used in the absence of a hardware specific driver and the goldfish driver for Android device emulation.

It might help to also look at each distro to see which device drivers are enabled for DRM_LEGACY and FBDEV, as there may be others that are important and need to be converted.

from kernel-hardening-checker.

@dvyukov the trouble is you'll break pretty much any general purpose distro with this stuff disabled. Iirc most compositors keel over if they can't open a vt (but they should all have options to survive without one). Plus since neither kmscon nor system-consoled ever happened for real no kernel console without these, so all the whitebeards will be screaming with their pitchforks. Really not something you can do in a defconfig unfortunately.

@arndb yeah there was simpledrm also back around kmscon to make this happen, but it didn't. For everything else we seem to have a small community of people now pushing out drm drivers for all these things, but more is always welcome. A drm driver in less that 1kloc is fairly standard nowadays, trouble only happens if you have a strange new constraint.

Wrt DRM_LEGACY and FBDEV drivers in general, I get the impression that distros which enable them just enable everything, because. E.g. debian still enables DRM_LEGACY, but they long ago stopped shipping the corresponding userspace drivers. So just plain nonsense in their defconfig (and a CVE when you load drm/nouveau.ko because backwards compat)

from kernel-hardening-checker.