hardening-check can detect whether kernel is protected or not

To: debian-kernel@lists.debian.org
Subject: hardening-check can detect whether kernel is protected or not
From: Mikhail Morfikov <mmorfikov@gmail.com>
Date: Wed, 2 Jan 2019 03:08:35 +0100
Message-id: <[🔎] 2796fc2e-d5fb-2a7f-288e-9301e07a1269@gmail.com>

When I run hardening-check on some binary I get results similar the following:

# hardening-check /usr/bin/firefox
/usr/bin/firefox:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

But when I do the hardening check on kernel, I get:

# /usr/src/linux-source-4.19/scripts/extract-vmlinux /boot/vmlinuz-4.19.13-amd64-morficzny  > /tmp/kernel-morficzny

#  file /tmp/kernel-morficzny
/tmp/kernel-morficzny: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=552fa51a31ac5536ef9c729c7755719f1e62f34d, stripped

# hardening-check /tmp/kernel-morficzny
/tmp/kernel-morficzny:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

I compiled this kernel myself, by editing the file /usr/src/linux-source-4.19/scripts/package/builddeb and adding the following to the rules file:

...
cat <<EOF > debian/rules
#!$(command -v $MAKE) -f
...
export DEB_BUILD_MAINT_OPTIONS = hardening=+all qa=+all
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk

CFLAGS   += -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic
CXXFLAGS += -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic
CPPFLAGS += -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic
LDFLAGS  += -Wl,-O2 -Wl,--as-needed -Wl,-z,defs -Wl,-shared
...

The extra flags at the end comes from some HowTo -- they simply said the flags should be set. 
When I've checked what flags were set while building the kernel, I can see this:

# make -j2 bindeb-pkg
...
dpkg-buildflags --status
dpkg-buildflags: status: environment variable DEB_BUILD_MAINT_OPTIONS=hardening=+all qa=+all
dpkg-buildflags: status: environment variable DEB_BUILD_OPTIONS=parallel=2
dpkg-buildflags: status: environment variable DEB_HOST_ARCH=amd64
dpkg-buildflags: status: vendor is Debian
dpkg-buildflags: status: future features: lfs=no
dpkg-buildflags: status: hardening features: bindnow=yes format=yes fortify=yes pie=yes relro=yes stackprotector=yes stackprotectorstrong=yes
dpkg-buildflags: status: qa features: bug=yes canary=yes
dpkg-buildflags: status: reproducible features: fixdebugpath=yes fixfilepath=no timeless=yes
dpkg-buildflags: status: sanitize features: address=no leak=no thread=no undefined=no
dpkg-buildflags: status: CFLAGS [vendor]: -g -O2 -Werror=array-bounds -Werror=clobbered -Werror=volatile-register-var -Werror=implicit-function-declaration -D__DEB_CANARY_CFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security
dpkg-buildflags: status: CPPFLAGS [vendor]: -D__DEB_CANARY_CPPFLAGS_8a057268a74a5f1201285aa667585e15__ -Wdate-time -D_FORTIFY_SOURCE=2
dpkg-buildflags: status: CXXFLAGS [vendor]: -g -O2 -Werror=array-bounds -Werror=clobbered -Werror=volatile-register-var -Werror=implicit-function-declaration -D__DEB_CANARY_CXXFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security
dpkg-buildflags: status: FCFLAGS [vendor]: -g -O2 -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong
dpkg-buildflags: status: FFLAGS [vendor]: -g -O2 -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong
dpkg-buildflags: status: GCJFLAGS [vendor]: -g -O2 -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong
dpkg-buildflags: status: LDFLAGS [vendor]: -Wl,-z,deb-canary-8a057268a74a5f1201285aa667585e15 -Wl,-z,relro -Wl,-z,now
dpkg-buildflags: status: OBJCFLAGS [vendor]: -g -O2 -D__DEB_CANARY_OBJCFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security
dpkg-buildflags: status: OBJCXXFLAGS [vendor]: -g -O2 -D__DEB_CANARY_OBJCXXFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security

And when testing if for instance CFLAGS has the additional flags, I can see it has:

-g -O2 -Werror=array-bounds -Werror=clobbered -Werror=volatile-register-var -Werror=implicit-function-declaration -D__DEB_CANARY_CFLAGS_b5b0db7f3a77ca4fcf9eca57aa7181ca__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic

So does the kernel is protected or not? If yes, why hardening-check can't detect it?
Also how to get "not stripped" instead of "stripped" kernel?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: hardening-check can detect whether kernel is protected or not
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: hardening-check can detect whether kernel is protected or not
  - From: Ian Campbell <ijc@debian.org>

Prev by Date: Bug#917632: marked as done (bugs.debian.org: During kernel boot the nvme module is not loaded, make the kernel not finding the rootfs)
Next by Date: Bug#916670: cryptsetup: ERROR: Couldn't resolve device rootfs
Previous by thread: Bug#917632: marked as done (bugs.debian.org: During kernel boot the nvme module is not loaded, make the kernel not finding the rootfs)
Next by thread: Re: hardening-check can detect whether kernel is protected or not
Index(es):
- Date
- Thread