Introduction[edit]

LKRG is Freedom Software / Open Source. ^[1]

The focus of this wiki page is to provide simplified user documentation and easy installation of LKRG in Debian, Kicksecure, Qubes, Whonix, and perhaps Debian-based Linux distributions. Installable from from an APT repository.

This is a lightweight software fork ^[archive] and no changes will be made to the core of LKRG. Links to the official LKRG homepage ^[archive] and other original resources can be found here.

Download[edit]

FREE

LKRG Overview[edit]

This is only a very brief introduction, since LKRG technical details are not the focus of this page. Quote official LKRG homepage ^[archive]:

LKRG performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.

As controversial as this concept is, LKRG attempts to post-detect and hopefully promptly respond to unauthorized modifications to the running Linux kernel (integrity checking) or to credentials such as user IDs of the running processes (exploit detection). For process credentials, LKRG attempts to detect the exploit and take action before the kernel would grant access (such as open a file) based on the unauthorized credentials.

LKRG defeats many pre-existing exploits of Linux kernel vulnerabilities, and will likely defeat many future exploits (including of yet unknown vulnerabilities) that do not specifically attempt to bypass LKRG. While LKRG is bypassable by design, such bypasses tend to require more complicated and/or less reliable exploits.

To learn more about LKRG, interested readers can:

review the official LKRG homepage ^[archive]
watch the LKRG Presentation Video ^[archive] or LKRG Presentation Slides ^[archive]
read the LKRG Wiki ^[archive]
LKRG rootkit detection ^[archive]
consult other Upstream Resources
LKRG is also mentioned in Master's Thesis Effectiveness of Linux Rootkit Detection Tools ^[archive]

Performance Impact[edit]

Quote LKRG upstream:

No benchmarks have yet been performed, but it appears the performance penalty is around 2.5% for fully enabled LKRG.

Quote Phoronix.com ^[archive], Benchmarking The Performance Overhead To The Linux Kernel Runtime Guard ^[archive] (page 5 ^[archive]), Michael Larabel ^[archive] (code added):

Out of 90 benchmarks run comparing the performance hit on this Intel Core i9 9900KS from LKRG, having LKRG enabled led to around a 5% hit based on the geometric mean of all tests carried out. Granted, some real-world workloads like code compilation speed were impacted much more dramatically while test cases not involving I/O or other kernel operations tended to see no measurable difference in run-time performance.

See the full article Benchmarking The Performance Overhead To The Linux Kernel Runtime Guard ^[archive] for a detailed benchmark.

LKRG Free vs LKRG Pro[edit]

Whonix ™ developer Patrick Schleizer said ^[archive]:

Contacted upstream LKRG developers privately. To paraphrase: "We don’t oppose you packaging it. As long as LKRG exists, there will always be a free and libre version. There is no pro version yet. A hypothetical future pro version would not change that." In my words: "there won’t be a grsecurity alike situation where everything gets closed down".

Quote LKRG wiki ^[archive]:

We will likely use GPLv2 at least for LKRG free. We might or might not use a different license for LKRG Pro, if we ever make it.

Users who benefit from LKRG Free are encouraged to support its further development. However, at the time of writing they are not accepting donations: ^[2]

We used to accept donations for LKRG via Patreon, but we currently don't. Some of our former supporters are listed in the PATREON file in LKRG distribution tarballs.

Installation[edit]

Testers only!

Note: Users who require better security can Build the Linux Kernel Runtime Guard (LKRG) Debian Package from Source Code and verify software signatures before installation.

Host Operating System	Installation Instructions	Note
Debian hosts	Follow the instructions below to install from the Whonix ™ repository. ^[3]	Do not install LKRG on a Debian host if intending to run VirtualBox (such as Whonix ™) virtual machines (VMs) due to this known bug ^[archive]. LKRG can be installed inside VirtualBox guest VMs.
Non-Qubes-Whonix ™	Follow the installation instructions below.	In Whonix ™, skip the following "Add Whonix ™ repository" step since it is already enabled by default.
Qubes OS ^[archive] Debian based VMs	Follow these LKRG Qubes instructions.	See footnote. ^[4]
Qubes-Whonix ™	Follow these LKRG Qubes-Whonix ™ instructions.	See footnote. ^[4]
Other Linux distributions	LKRG is available for most Linux distributions.	Follow the installation instructions for non-Debian distributions on the official LKRG homepage ^[archive].

Add Whonix ™ repository.

A) Download the Signing Key.

wget https://www.whonix.org/patrick.asc

wget https://www.whonix.org/patrick.asc

B) Optional: Check the Signing Key for better security.

C) Add Whonix's signing key.

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc

D) Add Whonix's APT repository.

echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

Install LKRG.

1. Update the package lists.

sudo apt-get update

sudo apt-get update

2. Install LKRG. ^[5]

sudo apt-get install lkrg linux-headers-amd64

sudo apt-get install lkrg linux-headers-amd64

The LKRG installation is complete. ^[6]

It is recommended to review optional hardening and other entries below, but this is not required.

Configuration[edit]

Note: All the possible configuration changes in this section are optional.

Legend: ^[7]

CI - Code Integrity
ED - Exploit Detection

Table: LKRG Configuration Options

Category	Instructions
Basics	All sysctl configuration options can be found here ^[archive].
Block Module Loading	Advanced users can block module functionality (`lkrg.block_modules`) with one of the following settings: `0` - do NOT lock the kernel and allow to load kernel module `1` - lock the kernel and do NOT allow to load kernel module See also: module loading.
Current Configuration	To view the current configuration, run. sudo sysctl -a \| grep lkrg sudo sysctl -a \| grep lkrg
Hardening - CI Panic - Crash Kernel when Code Integrity Violation	It is possible to further improve the security provided by LKRG, but this can potentially lead to decreased system stability. Users that are willing to make this trade-off can opt-in to the following setting. LKRG developers have not enabled the following sysctl option by default since it can result in kernel panics and system crashes, or occasional false positives (integrity violations and/or exploits are detected when they don't really exist). See the LKRG homepage ^[archive]. This might be the reason why LKRG developers did not yet enable kernel panic on CI failure by default. Kernel panic on code integrity `CI` failure (`lkrg.ci_panic`) - two options are available: `0` - do NOT crash the kernel on CI failure (default) `1` - crash the kernel (call `panic()`) on CI failure The following command enables kernel panic on CI failure non-persistently until reboot. sudo sysctl -w lkrg.force_run=1 sudo sysctl -w lkrg.force_run=1 The following procedure enables this feature persistently after reboot. Open file `/etc/sysctl.d/50_user.conf` in an editor with root rights. (Qubes-Whonix ™: In TemplateVM) This box uses `sudoedit` for better security ^[archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link. sudoedit /etc/sysctl.d/50_user.conf sudoedit /etc/sysctl.d/50_user.conf Paste. lkrg.ci_panic=1 lkrg.ci_panic=1 Save. The procedure of enabling CI panic is complete.
Hardening - UMH Lock	Better do not use for now. Breaks Whonix Firewall. ^[8]
Hide LKRG	Attempts to hide LKRG will not work because this feature is not yet functional; LKRG will still be detected. ^[9] ^[10] ^[11]

^[12]

Usage[edit]

Once LKRG has been installed, little effort is required since it will protect the kernel without the user's knowledge and/or interaction. However, it is sensible to check that LKRG is running correctly and to monitor system logs for any suspicious entries. Check this entry at a later date for any additional recommendations.

To check systemd journal log for kernel messages by LKRG, run.

sudo journalctl -b | grep lkrg

sudo journalctl -b | grep lkrg

To keep watching systemd journal log for new LKRG messages, run.

sudo journalctl -b -f | grep lkrg

sudo journalctl -b -f | grep lkrg

While performing the commands above, it may be useful to open another console tab and manually run a LKRG integrity check.

sudo sysctl -w lkrg.force_run=1

sudo sysctl -w lkrg.force_run=1

At this stage a graphical user interface (GUI) is not provided that can proactively inform users who fail to analyze the systemd journal log for relevant LKRG messages. A GUI or popup notification might be developed later on -- help is most welcome.

Debugging[edit]

linux-image[edit]

dpkg -l | grep linux-image

dpkg -l | grep linux-image

Should include:

ii  linux-image-4.19.0-6-amd64                    4.19.67-2+deb10u2               amd64        Linux 4.19 for 64-bit PCs (signed)
ii  linux-image-amd64

linux-headers[edit]

dpkg -l | grep linux-head

dpkg -l | grep linux-head

Should include:

ii  linux-headers-4.19.0-6-amd64                  4.19.67-2+deb10u2               amd64        Header files for Linux 4.19.0-6-amd64
ii  linux-headers-4.19.0-6-common                 4.19.67-2+deb10u2               all          Common header files for Linux 4.19.0-6
ii  linux-headers-amd64

modinfo[edit]

sudo modinfo p_lkrg

sudo modinfo p_lkrg

filename:       /lib/modules/4.19.0-6-amd64/updates/dkms/p_lkrg.ko
license:        GPL v2
description:    pi3's Linux kernel Runtime Guard
author:         Adam 'pi3' Zabrocki (http://pi3.com.pl)
depends:        usbcore
retpoline:      Y
name:           p_lkrg
vermagic:       4.19.0-6-amd64 SMP mod_unload modversions 
parm:           p_init_log_level:Logging level init value [1 (alive) is default] (uint)

dkms status[edit]

sudo dkms status

sudo dkms status

Should include:

lkrg, 0.7, 4.19.0-6-amd64, x86_64: installed

Additional Resources[edit]

Forum Discussion[edit]

Linux Kernel Runtime Guard (LKRG) - Linux Kernel Runtime Integrity Checking and Exploit Detection ^[archive]

Upstream Resources[edit]

Upstream Mailing List Discussions[edit]

LKRG compilation hardening flags, checksec, hardening-check ^[archive]
LKRG packagers / downstream wishlist ^[archive] (signed git commits, signed git tags, version numbers, logo)
module loading / systemd bug report / suggestion ^[archive]
LKRG kills VirtualBox host VMs ^[archive]
announcement of this LKRG Debian package on upstream LKRG mailing list ^[archive]
LKRG module parameters ^[archive]
Compiling LKRG static into the Kernel / Loading LKRG kernel module as early as possible or after other modules? ^[archive]

References[edit]

↑
- Original LKRG Source Code git Repository ^[archive]
- LKRG Debian Package Lightweight Fork ^[archive]
↑ https://openwall.info/wiki/p_lkrg/Main#Donation ^[archive]
↑ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944476 ^[archive]
↑ ^4.0 ^4.1 make Linux Kernel Runtime Guard (LKRG) easily available in Qubes ^[archive]
↑ Only Intel and amd64 are supported at present, see: https://www.openwall.com/lists/lkrg-users/2018/07/31/3 ^[archive]
↑ Note that LKRG versioning is based on upstream's git master branch intention to remain in the "prerelease" stage. Quote Adam Zabrocki https://www.openwall.com/lists/lkrg-users/2019/11/11/1 ^[archive] We're trying to keep master branch stable and let's say in "prerelease" stage :)
↑ https://www.openwall.com/lists/lkrg-users/2019/02/19/1 ^[archive]
↑
Full lock down of the kernel's usermodehelper interface (lkrg.umh_lock). This might break things if your distro uses UMH to invoke any programs. Two options are available:
- 0 - do NOT lock down the UMH interface fully, but allow to execute only LKRG's whitelisted programs (default)
- 1 - lock down the UMH interface fully
↑
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/post/linux/kernel.rb#L235 ^[archive]
```
cmd_exec('test -d /proc/sys/lkrg && echo true').to_s.strip.include? 'true'
```

↑

sudo sysctl -w lkrg.hide=1
lkrg.hide = 1

user@debian-buster-standalone:~$ ls -la /proc/sys/lkrg
total 0
dr-xr-xr-x 1 root root 0 Nov 15 03:05 .
dr-xr-xr-x 1 root root 0 Nov 15 03:04 ..
-rw------- 1 root root 0 Nov 15 03:48 block_modules
-rw------- 1 root root 0 Nov 15 03:48 ci_panic
-rw------- 1 root root 0 Nov 15 04:18 clean_message
-rw------- 1 root root 0 Nov 15 04:19 force_run
-rw------- 1 root root 0 Nov 15 04:21 hide
-rw------- 1 root root 0 Nov 15 03:48 log_level
-rw------- 1 root root 0 Nov 15 03:48 random_events
-rw------- 1 root root 0 Nov 15 04:02 smep_panic
-rw------- 1 root root 0 Nov 15 03:48 timestamp
-rw------- 1 root root 0 Nov 15 04:04 umh_lock

user@debian-buster-standalone:~$ lsmod | grep lkrg
usbcore               294912  1 p_lkrg

user@debian-buster-standalone:~$ sudo sysctl -w  lkrg.hide=0
lkrg.hide = 0

user@debian-buster-standalone:~$ lsmod | grep lkrg
p_lkrg                217088  -2
usbcore               294912  1 p_lkrg

↑
Hiding (lkrg.hide) - if built with this optional feature included, LKRG can (un)hide itself from the module list (but it can be detected regardless):
- 1 - hide LKRG (if it is not already hidden)
- 0 - unhide LKRG (if it is not already unhidden)
↑
Feature of lkrg-loader ^[archive]. Debian package specific. lkrg-loader not part of LKRG upstream. Only available in Whonix developers repository for now. Requires also pacakge lkrg-loader being installed. Might change.
```
sudo mkdir -p /etc/lkrg-loader_pre.d
```
sudo mkdir -p /etc/lkrg-loader_pre.d
```
sudoedit /etc/lkrg-loader_pre.d/50_user.conf
```
sudoedit /etc/lkrg-loader_pre.d/50_user.conf
```
lkrg_opt+=" log_level=4 "
```
lkrg_opt+=" log_level=4 "

Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier

Follow:

Donate:

Share: Twitter | Facebook

Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee ^[archive] of the Open Invention Network ^[archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian ^[archive]. Debian is a registered trademark ^[archive] owned by Software in the Public Interest, Inc ^[archive].

Whonix ™ is produced independently from the Tor® ^[archive] anonymity software and carries no guarantee from The Tor Project ^[archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

[1] 
Original LKRG Source Code git Repository ^[archive]

LKRG Debian Package Lightweight Fork ^[archive]

[2] Original LKRG Source Code git Repository ^[archive]

[3] LKRG Debian Package Lightweight Fork ^[archive]

[2] ttps://openwall.info/wiki/p_lkrg/Main#Donation ^[archive]

[3] ttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944476 ^[archive]

[qubes-lkrg-4] 4.0 ^4.1 make Linux Kernel Runtime Guard (LKRG) easily available in Qubes ^[archive]

[5] Only Intel and amd64 are supported at present, see: https://www.openwall.com/lists/lkrg-users/2018/07/31/3 ^[archive]

[6] Note that LKRG versioning is based on upstream's git master branch intention to remain in the "prerelease" stage. Quote Adam Zabrocki https://www.openwall.com/lists/lkrg-users/2019/11/11/1 ^[archive] We're trying to keep master branch stable and let's say in "prerelease" stage :)

[7] ttps://www.openwall.com/lists/lkrg-users/2019/02/19/1 ^[archive]

[8] Full lock down of the kernel's usermodehelper interface (lkrg.umh_lock). This might break things if your distro uses UMH to invoke any programs. Two options are available:
0 - do NOT lock down the UMH interface fully, but allow to execute only LKRG's whitelisted programs (default)

1 - lock down the UMH interface fully

[11] 0 - do NOT lock down the UMH interface fully, but allow to execute only LKRG's whitelisted programs (default)

[12] 1 - lock down the UMH interface fully

[metasploit-code-9] ttps://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/post/linux/kernel.rb#L235 ^[archive]
cmd_exec('test -d /proc/sys/lkrg && echo true').to_s.strip.include? 'true'

[10] 
sudo sysctl -w lkrg.hide=1 lkrg.hide = 1 user@debian-buster-standalone:~$ ls -la /proc/sys/lkrg total 0 dr-xr-xr-x 1 root root 0 Nov 15 03:05 . dr-xr-xr-x 1 root root 0 Nov 15 03:04 .. -rw------- 1 root root 0 Nov 15 03:48 block_modules -rw------- 1 root root 0 Nov 15 03:48 ci_panic -rw------- 1 root root 0 Nov 15 04:18 clean_message -rw------- 1 root root 0 Nov 15 04:19 force_run -rw------- 1 root root 0 Nov 15 04:21 hide -rw------- 1 root root 0 Nov 15 03:48 log_level -rw------- 1 root root 0 Nov 15 03:48 random_events -rw------- 1 root root 0 Nov 15 04:02 smep_panic -rw------- 1 root root 0 Nov 15 03:48 timestamp -rw------- 1 root root 0 Nov 15 04:04 umh_lock user@debian-buster-standalone:~$ lsmod | grep lkrg usbcore 294912 1 p_lkrg user@debian-buster-standalone:~$ sudo sysctl -w lkrg.hide=0 lkrg.hide = 0 user@debian-buster-standalone:~$ lsmod | grep lkrg p_lkrg 217088 -2 usbcore 294912 1 p_lkrg

[11] Hiding (lkrg.hide) - if built with this optional feature included, LKRG can (un)hide itself from the module list (but it can be detected regardless):
1 - hide LKRG (if it is not already hidden)

0 - unhide LKRG (if it is not already unhidden)

[16] 1 - hide LKRG (if it is not already hidden)

[17] 0 - unhide LKRG (if it is not already unhidden)

[12] Feature of lkrg-loader ^[archive]. Debian package specific. lkrg-loader not part of LKRG upstream. Only available in Whonix developers repository for now. Requires also pacakge lkrg-loader being installed. Might change.

sudo mkdir -p /etc/lkrg-loader_pre.d

sudo mkdir -p /etc/lkrg-loader_pre.d

sudoedit /etc/lkrg-loader_pre.d/50_user.conf

sudoedit /etc/lkrg-loader_pre.d/50_user.conf

lkrg_opt+=" log_level=4 "

lkrg_opt+=" log_level=4 "

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

Linux Kernel Runtime Guard (LKRG) for Debian, Whonix, Qubes, Kicksecure

From Whonix

(Redirected from LKRG)

Contents

Introduction[edit]

Download[edit]

LKRG Overview[edit]

Performance Impact[edit]

LKRG Free vs LKRG Pro[edit]

Installation[edit]

Configuration[edit]

Usage[edit]

Debugging[edit]

linux-image[edit]

linux-headers[edit]

modinfo[edit]

dkms status[edit]

Additional Resources[edit]

Forum Discussion[edit]

Upstream Resources[edit]

Upstream Mailing List Discussions[edit]

See Also[edit]

References[edit]