Hello Linux Gurus,
I am seeking divine inspiration.
I don’t understand the apparent lack of hypervisor-based kernel protections in desktop Linux. It seems there is a significant opportunity for improvement beyond the basics of KASLR, stack canaries, and shadow stacks. However, I don’t see much work in this area on Linux desktop, and people who are much smarter than me develop for the kernel every day yet have not seen fit to produce some specific advanced protections at this time that I get into below. Where is the gap in my understanding? Is this task so difficult or costly that the open source community cannot afford it?
Windows PCs, recent Macs, iPhones, and a few Android vendors such as Samsung run their kernels atop a hypervisor. This design permits introspection and enforcement of security invariants from outside or underneath the kernel. Common mitigations include protection of critical data structures such as page table entries, function pointers, or SELinux decisions to raise the bar on injecting kernel code. Hypervisor-enforced kernel integrity appears to be a popular and at least somewhat effective mitigation although it doesn’t appear to be common on desktop Linux despite its popularity with other OSs.
Meanwhile, in the desktop Linux world, users are lucky if a distribution even implements secure boot and offers signed kernels. Popular software packages often require short-circuiting this mechanism so the user can build and install kernel modules, such as NVidia and VirtualBox drivers. SELinux is uncommon, ergo root access is more or less equivalent to the kernel privileges including introduction of arbitrary code into the kernel on most installations. TPM-based disk encryption is only officially supported experimentally by Ubuntu and is usually linked to secure boot, while users are largely on their own elsewhere. Taken together, this feels like a missed opportunity to implement additional defense-in-depth.
It’s easy to put code in the kernel. I can do it in a couple of minutes for a “hello world” module. It’s really cool that I can do this, but is it a good idea? Shouldn’t somebody try and stop me?
Please insert your unsigned modules into my brain-kernel. What have I failed to understand, or why is this the design of the kernel today? Is it an intentional omission? Is it somehow contrary to the desktop Linux ethos?
This is a question I myself have wondered for a long while now. Before the Arch warriors come in to shout about how Secure Boot is evil and also useless and how everything Windows, Mac, and so on does for security is only needed because they’re insecure and not free and spyware and other angry words, I agree with your assessment.
The problem is that while Linux is well tested in Server environments, it is still an insignificant factor on the desktop. Servers are very well locked down in a lot of cases, so if something makes its way into the system itself, many security mitigations on the way have already failed.
Desktops are different because the user is a lot more likely to install/run/browse to stuff that is dangerous.
Right now, the only saving grace for Linux is that malware targets Windows and Android primarily, the most commonly used operating systems. What’s the point of targeting less than 4 percent of the world when you can target 90 percent of the world?
This will change if “The year of Linux desktop” actually happens and people start mass using Linux desktops. You can bet on more Linux malware happening.
One consideration is that on a Linux server, the data of interest to attackers is more likely to be accessible by some low-privileged daemon like a SQL server. Compromising the kernel in such a fundamental way doesn’t provide anything of value on its own, so defenses perhaps are not as mature along this plane. It’s enough to get to the database. You might go for the kernel to move laterally, but the kernel itself isn’t the gold and jewels.
Server environments are much more tightly controlled as you mentioned. I feel like there are more degrees of trust (or distrust) on a user system than on a server (configured top-to-bottom by an expert) for that reason and the differences in use case, and Linux desktop doesn’t really express this idea as well as maybe it should. It places a lot of trust on the user to say the least, and that’s not ideal for security.
I think secure boot is a great idea. There must be a way to have layered security without abusing it to lock out users from their owned machines.
You have absolutely zero clue what in the world you are talking about 😂😂😂😂
You’re commenting as if there is a difference between a “desktop” and “server” install, when in practicality there is none. It’s not Windows with different tiered builds by price. 😭
Incorrect. The difference is not that there’s a server edition or desktop edition (which for many linux distros, there very much are server and desktop editions, even if the only difference is which packages are installed by default), but that when you properly setup a server with internet-exposed services, you usually are smart enough, have gone to school for this, learned from experience, or all of the above, how to secure a linux system for server use, and should have a configuration setup that would be inconvenient at best for a desktop, but is more secure for the purpose of a server. In addition, when running a server, you stick to what you need, you don’t arbitrarily download stuff onto a server, as that could break your live service(s) if something goes wrong.
The average desktop user does not have any of that experience or knowledge to lock down their system like ft knox, nor do they have the willpower to resist clicking on / downloading and running what they shouldn’t, so if most of everyone stopped using Windows and jumped to Linux, you would see a lot more serious issues than the occasional halfass attempt at linux malware.
OP is talking about hypervisor security, and now you’re off on a tangent about package and configuration management to try and prove a faulty point…what in the world.
If hypervisor security is an addon I can add via a suite of packages, okay. But, I don’t see that. Besides, OP is asking about why it isn’t part of the system natively. What’s the fault in the point?