|
| 1 | +--- |
| 2 | +title: Friday in the Void: OpenSSL and Kernel Hardening |
| 3 | +layout: post |
| 4 | +--- |
| 5 | + |
| 6 | +The previously announced [OpenSSL switch](https://voidlinux.org/news/2021/02/OpenSSL.html) |
| 7 | +is now underway. Because OpenSSL is a dependency of a large number of packages, |
| 8 | +the full rebuild process is expected to take several days. Syncing between the |
| 9 | +builders and public repositories has been suspended to ensure that the package |
| 10 | +tree remains consistent. Consequently, no new package updates will appear until |
| 11 | +the switch is complete. |
| 12 | + |
| 13 | +Once updates appear, we recommend that you perform a complete system update to |
| 14 | +simplify the transition. Partial updates are possible, but you will need to |
| 15 | +manually trace all OpenSSL dependants installed on your system and update them |
| 16 | +atomically. |
| 17 | + |
| 18 | +--- |
| 19 | + |
| 20 | +Since 2016, the default bootloader configuration in Void Linux has set |
| 21 | +the Linux kernel command-line options `slub_debug=P` and `page_poison=1` to |
| 22 | +provide some level of kernel hardening. Kernel series 5.3 and later offer |
| 23 | +alternative measures `init_on_alloc` and `init_on_free` (see [this kernel |
| 24 | +commit](https://github.com/torvalds/linux/commit/6471384af)). |
| 25 | + |
| 26 | +Void's kernels come with the `init_on_alloc` option enabled by default where |
| 27 | +available (*i.e.*, `linux5.4>=5.4.102`, `linux5.10>=5.10.20` and |
| 28 | +`linux5.11>=5.11.3`). In most cases, you should not disable this option, as it |
| 29 | +has a fairly minimal impact on performance (within 1%). The `init_on_free` |
| 30 | +option is more expensive (around 5% on average) and needs to be enabled by hand |
| 31 | +by passing `init_on_free=1` on the kernel command line. Similarly, |
| 32 | +`init_on_alloc` can be disabled if needed by passing `init_on_alloc=0`. |
| 33 | + |
| 34 | +As a consequence of these changes, Void's default kernel command-line now omits |
| 35 | +the `slub_debug` and `page_poison` options. There is a chance that your |
| 36 | +existing system still has the old options enabled. They still work in newer |
| 37 | +kernels, but have a performance impact more in line with `init_on_free=1`. On |
| 38 | +older hardware this can be quite noticeable. If you are running a kernel series |
| 39 | +older than 5.4, you can keep them (or add them) for extra security at the cost |
| 40 | +of performance; otherwise, you should remove them. |
| 41 | + |
| 42 | +--- |
| 43 | + |
| 44 | +As always, if you experience any issues, feel free to reach out to us! You can |
| 45 | +[open an issue](https://github.com/void-linux/void-packages/issues/new) on |
| 46 | +GitHub or seek help in the `#voidlinux` channel on <https://freenode.net>. |
0 commit comments