Actions

Linux Kernel Runtime Guard (LKRG) for Debian, Whonix, Qubes, Kicksecure

From Whonix



LKRG logo

Introduction[edit]

LKRG is Freedom Software / Open Source. [1]

The focus of this wiki page is to provide simplified user documentation and easy installation of LKRG in Debian, Kicksecure, Qubes, Whonix, and perhaps Debian-based Linux distributions. Installable from an APT repository.

This is a lightweight software fork [archive] and no changes will be made to the core of LKRG. Links to the official LKRG homepage [archive] and other original resources can be found here.

Download[edit]

LKRG logo Debian.png Logo box.png Qubes-logo-blue.png Tux.png FREE Download LKRG

LKRG Overview[edit]

This is only a very brief introduction, since LKRG technical details are not the focus of this page. Quote official LKRG homepage [archive]:

LKRG performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.

As controversial as this concept is, LKRG attempts to post-detect and hopefully promptly respond to unauthorized modifications to the running Linux kernel (integrity checking) or to credentials such as user IDs of the running processes (exploit detection). For process credentials, LKRG attempts to detect the exploit and take action before the kernel would grant access (such as open a file) based on the unauthorized credentials.

LKRG defeats many pre-existing exploits of Linux kernel vulnerabilities, and will likely defeat many future exploits (including of yet unknown vulnerabilities) that do not specifically attempt to bypass LKRG. While LKRG is bypassable by design, such bypasses tend to require more complicated and/or less reliable exploits.

To learn more about LKRG, interested readers can:

Performance Impact[edit]

Quote LKRG upstream:

No benchmarks have yet been performed, but it appears the performance penalty is around 2.5% for fully enabled LKRG.

Quote Phoronix.com [archive], Benchmarking The Performance Overhead To The Linux Kernel Runtime Guard [archive] (page 5 [archive]), Michael Larabel [archive] (code added):

Out of 90 benchmarks run comparing the performance hit on this Intel Core i9 9900KS from LKRG, having LKRG enabled led to around a 5% hit based on the geometric mean of all tests carried out. Granted, some real-world workloads like code compilation speed were impacted much more dramatically while test cases not involving I/O or other kernel operations tended to see no measurable difference in run-time performance.

See the full article Benchmarking The Performance Overhead To The Linux Kernel Runtime Guard [archive] for a detailed benchmark.

LKRG Free vs LKRG Pro[edit]

Whonix ™ developer Patrick Schleizer said [archive]:

Contacted upstream LKRG developers privately. To paraphrase: "We don’t oppose you packaging it. As long as LKRG exists, there will always be a free and libre version. There is no pro version yet. A hypothetical future pro version would not change that." In my words: "there won’t be a grsecurity alike situation where everything gets closed down".

Quote LKRG wiki [archive]:

We will likely use GPLv2 at least for LKRG free. We might or might not use a different license for LKRG Pro, if we ever make it.

Users who benefit from LKRG Free are encouraged to support its further development. However, at the time of writing they are not accepting donations: [2]

We used to accept donations for LKRG via Patreon, but we currently don't. Some of our former supporters are listed in the PATREON file in LKRG distribution tarballs.

Installation[edit]

Testers only! Testers only!

Note: Users who require better security can Build the Linux Kernel Runtime Guard (LKRG) Debian Package from Source Code and verify software signatures before installation.

Logo Host Operating System Installation Instructions Note
Debian.png Debian hosts Follow the instructions below to install from the Whonix ™ repository. [3] If intending to run the VirtualBox Virtualbox logo.png host software (such as for running Whonix ™ Logo box.png virtual machines (VMs)) additional configuration is required. [4]
Logo box.png Non-Qubes-Whonix ™ Follow the installation instructions below. In Whonix ™, skip the following "Add Whonix ™ repository" step since it is already enabled by default.
Qubes-logo-blue.png Qubes OS [archive] Debian based VMs Follow these LKRG Qubes instructions. See footnote. [5]
Qubes-logo-blue.png Logo box.png Qubes-Whonix ™ Follow these LKRG Qubes-Whonix ™ instructions. See footnote. [5]
Kicksecure ™ Follow the installation instructions below. In Kicksecure ™, skip the following "Add Whonix ™ repository" since Kicksecure ™ APT repository is enabled by default and includes LKRG.
Tux.png Other Linux distributions LKRG is available for most Linux distributions. Follow the installation instructions for non-Debian distributions on the official LKRG homepage [archive].

Add Whonix ™ repository.

1. Download the Signing Key.

wget https://www.whonix.org/derivative.asc

2. Optional: Check the Signing Key for better security.

3. Add Whonix ™ signing key.

sudo cp derivative.asc /usr/share/keyrings/derivative.asc

4. Whonix ™ APT repository choices.

Optional: See Whonix ™ Packages for Debian Hosts and Whonix ™ Host Enhancements instead of the next step for more secure and complex options.

5. Add Whonix ™ APT repository.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

Install LKRG.

1. Update the package lists.

sudo apt update

2. Install LKRG. [6] [7] [8]

sudo apt install lkrg-dkms linux-headers-amd64

The LKRG installation is complete. [9]

It is recommended to review optional hardening and other entries below, but this is not required.

Configuration[edit]

It might be possible to further improve the security provided by LKRG though LKRG configuration, but this can potentially lead to decreased system stability. Note: Unspecific to Whonix ™.

Ambox warning pn.svg.png Warning:

These configuration sysctl where up to date at time of writing but might be outdated in future LKRG releases. Please refer to upstream sysctl configuration documentation [archive] chapter Runtime configuration and upstream configuration file /etc/sysctl.d/30-lkrg-dkms.conf [archive].

General LKRG Configuration Tips[edit]

Note: All the possible configuration changes in this section are optional.

Table: General LKRG Configuration Tips

Category Instructions
View Current Runtime Configuration To view the current configuration, run.

sudo sysctl -a | grep lkrg

Refer to upstream readme [archive] chapter Runtime configuration.

Temporary Runtime Configuration Changes To temporarily change configuration settings until next reboot, run.

Note: Replace lkrg.pcfi_validate=1 with the actual sysctl setting you like to change as per upstream documentation.

sudo sysctl -w lkrg.pcfi_validate=1

Persistent Configuration Changes To enable any (LKRG) sysctl persistently after reboot.

Open file /etc/sysctl.d/50_user.conf in an editor with root rights.

This box uses sudoedit for better security [archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/sysctl.d/50_user.conf

Paste (LKRG) sysctl settings such as.

Note: Replace lkrg.pcfi_validate=1 with the actual sysctl setting you like to change as per upstream documentation.

lkrg.pcfi_validate=1

Save.

The procedure of persistently changing sysctl settings is complete.

VirtualBox host software compatibility

lkrg.pcfi_validate=1

Not required for VirtualBox guest VMs. [10]

Whonix specific LKRG Configuration Tips[edit]

Table: Whonix ™ specific LKRG Configuration Tips

Category Instructions
Block Module Loading Users which use lkrg.block_modules in Whonix ™ would also have to follow Whonix ™ instructions on module loading.
Hardening - UMH Validation and Enforcement Better do not use lkrg.umh_validate=2 for now. Might break Whonix ™ Firewall. Advanced users could refer to upstream documentation on lkrg.umh_validate and lkrg.umh_enforce.

Usage[edit]

Once LKRG has been installed, little effort is required since it will protect the kernel without the user's knowledge and/or interaction. However, it is sensible to check that LKRG is running correctly and to monitor system logs for any suspicious entries. Check this entry at a later date for any additional recommendations.

To check systemd journal log for kernel messages by LKRG, run.

sudo journalctl -b | grep lkrg

To keep watching systemd journal log for new LKRG messages, run.

sudo journalctl -b -f | grep lkrg

At this stage a graphical user interface (GUI) is not provided that can proactively inform users who fail to analyze the systemd journal log for relevant LKRG messages. A GUI or popup notification might be developed later on -- help is most welcome.

Recovery[edit]

Quote upstream readme:

To account for the hopefully unlikely but really unfortunate event that some incompatibility between the Linux kernel or other components of the system and LKRG isn't detected prior to LKRG installation yet leads to system crash on bootup, we've included support for the "nolkrg" kernel parameter in the systemd unit file for LKRG. Thus, if you've followed the above installation procedure for LKRG with systemd, you may disable LKRG by specifying "nolkrg" on the kernel command-line via your bootloader. The system should then boot up without LKRG, and thus without triggering the problem, letting you fix it.

Quote upstream contributor [archive]:

[...] I would use a different kernel cmd parameter: `systemd.unit=emergency.target` -- which drops me to the shell before even mounting (as read/write) the root file system, and I can disable whatever service I want. [...]

Debugging[edit]

linux-image[edit]

dpkg -l | grep linux-image

Should include:

ii  linux-image-4.19.0-6-amd64                    4.19.67-2+deb10u2               amd64        Linux 4.19 for 64-bit PCs (signed)
ii  linux-image-amd64

linux-headers[edit]

dpkg -l | grep linux-head

Should include:

ii  linux-headers-4.19.0-6-amd64                  4.19.67-2+deb10u2               amd64        Header files for Linux 4.19.0-6-amd64
ii  linux-headers-4.19.0-6-common                 4.19.67-2+deb10u2               all          Common header files for Linux 4.19.0-6
ii  linux-headers-amd64 

modinfo[edit]

sudo modinfo p_lkrg

filename:       /lib/modules/5.10.0-0.bpo.7-amd64/updates/dkms/p_lkrg.ko
license:        GPL v2
description:    pi3's Linux kernel Runtime Guard
author:         Adam 'pi3' Zabrocki (http://pi3.com.pl)
depends:        
retpoline:      Y
name:           p_lkrg
vermagic:       5.10.0-0.bpo.7-amd64 SMP mod_unload modversions 
parm:           log_level:log_level [3 (warn) is default] (uint)
parm:           heartbeat:heartbeat [0 (don't print) is default] (uint)
parm:           block_modules:block_modules [0 (don't block) is default] (uint)
parm:           interval:interval [15 seconds is default] (uint)
parm:           kint_validate:kint_validate [3 (periodically + random events) is default] (uint)
parm:           kint_enforce:kint_enforce [2 (panic) is default] (uint)
parm:           msr_validate:msr_validate [0 (disabled) is default] (uint)
parm:           pint_validate:pint_validate [1 (current) is default] (uint)
parm:           pint_enforce:pint_enforce [1 (kill task) is default] (uint)
parm:           umh_validate:umh_validate [1 (allow specific paths) is default] (uint)
parm:           umh_enforce:umh_enforce [1 (prevent execution) is default] (uint)
parm:           pcfi_validate:pcfi_validate [2 (fully enabled pCFI) is default] (uint)
parm:           pcfi_enforce:pcfi_enforce [1 (kill task) is default] (uint)
parm:           smep_validate:smep_validate [1 (enabled) is default] (uint)
parm:           smep_enforce:smep_enforce [2 (panic) is default] (uint)
parm:           smap_validate:smap_validate [1 (enabled) is default] (uint)
parm:           smap_enforce:smap_enforce [2 (panic) is default] (uint)

dkms status[edit]

sudo dkms status

Should include:

lkrg, 0.7, 4.19.0-6-amd64, x86_64: installed

Related Files[edit]

Additional Resources[edit]

Forum Discussion[edit]

Upstream Resources[edit]

Upstream Mailing List Discussions[edit]

See Also[edit]

References[edit]

  1. https://openwall.info/wiki/p_lkrg/Main#Donation [archive]
  2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944476 [archive]
  3. LKRG can be installed inside VirtualBox guest VMs without configuration changes required.
  4. 5.0 5.1 make Linux Kernel Runtime Guard (LKRG) easily available in Qubes [archive]
  5. Only Intel and amd64 are supported at present, see: https://www.openwall.com/lists/lkrg-users/2018/07/31/3 [archive]
  6. No need for package lkrg-systemd. See upstream discussion [archive].
  7. Package lkrg is just a meta package. The only thing it would do is adding Depends: lkrg-dkms and Recommends: lkrg-systemd. See also:
    apt-cache show lkrg

    apt-cache show lkrg-dkms

    apt-cache show lkrg-systemd

  8. Note that LKRG versioning is based on upstream's git master branch intention to remain in the "prerelease" stage. Quote Adam Zabrocki [archive]:

    We're trying to keep master branch stable and let's say in "prerelease" stage :)

  9. VirtualBox host software compatibility [archive]


Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Linux Kernel Runtime Guard LKRG&body=https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG&title=Linux Kernel Runtime Guard LKRG link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG&t=Linux Kernel Runtime Guard LKRG link=https://mastodon.technology/share?message=Linux Kernel Runtime Guard LKRG%20https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG&t=Linux Kernel Runtime Guard LKRG

Please contribute by helping to answer Whonix ™ questions.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.