Linux Kernel Runtime Guard (LKRG) for Debian, Whonix, Qubes, Kicksecure
(Redirected from Lkrg)
- 1 Introduction
- 2 Download
- 3 LKRG Overview
- 4 Installation
- 5 Configuration
- 6 Whonix specific LKRG Configuration Tips
- 7 Usage
- 8 Recovery
- 9 Debugging
- 10 Additional Resources
- 11 References
LKRG is Freedom Software / Open Source. 
The focus of this wiki page is to provide simplified user documentation and easy installation of LKRG in Debian, Kicksecure, Qubes, Whonix, and perhaps Debian-based Linux distributions. Installable from an APT repository.
LKRG performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.
As controversial as this concept is, LKRG attempts to post-detect and hopefully promptly respond to unauthorized modifications to the running Linux kernel (integrity checking) or to credentials such as user IDs of the running processes (exploit detection). For process credentials, LKRG attempts to detect the exploit and take action before the kernel would grant access (such as open a file) based on the unauthorized credentials.
LKRG defeats many pre-existing exploits of Linux kernel vulnerabilities, and will likely defeat many future exploits (including of yet unknown vulnerabilities) that do not specifically attempt to bypass LKRG. While LKRG is bypassable by design, such bypasses tend to require more complicated and/or less reliable exploits.
To learn more about LKRG, interested readers can:
- review the official LKRG homepage [archive]
- watch the LKRG Presentation Video [archive] or LKRG Presentation Slides [archive]
- read the LKRG Wiki [archive]
- LKRG rootkit detection [archive]
- consult other Upstream Resources
- LKRG is also mentioned in Master's Thesis Effectiveness of Linux Rootkit Detection Tools [archive]
Quote LKRG upstream:
No benchmarks have yet been performed, but it appears the performance penalty is around
2.5%for fully enabled LKRG.
Out of 90 benchmarks run comparing the performance hit on this Intel Core i9 9900KS from LKRG, having LKRG enabled led to around a
5%hit based on the geometric mean of all tests carried out. Granted, some real-world workloads like code compilation speed were impacted much more dramatically while test cases not involving I/O or other kernel operations tended to see no measurable difference in run-time performance.
See the full article Benchmarking The Performance Overhead To The Linux Kernel Runtime Guard [archive] for a detailed benchmark.
LKRG Free vs LKRG Pro
Contacted upstream LKRG developers privately. To paraphrase: "We don’t oppose you packaging it. As long as LKRG exists, there will always be a free and libre version. There is no pro version yet. A hypothetical future pro version would not change that." In my words: "there won’t be a grsecurity alike situation where everything gets closed down".
We will likely use GPLv2 at least for LKRG free. We might or might not use a different license for LKRG Pro, if we ever make it.
Users who benefit from LKRG Free are encouraged to support its further development. However, at the time of writing they are not accepting donations: 
We used to accept donations for LKRG via Patreon, but we currently don't. Some of our former supporters are listed in the PATREON file in LKRG distribution tarballs.
Note: Users who require better security can Build the Linux Kernel Runtime Guard (LKRG) Debian Package from Source Code and verify software signatures before installation.
|Logo||Host Operating System||Installation Instructions||Note|
|Debian hosts||Follow the instructions below to install from the Whonix ™ repository. ||Do not install LKRG on a Debian host if intending to run VirtualBox (such as Whonix ™) virtual machines (VMs) due to this known bug [archive]. LKRG can be installed inside VirtualBox guest VMs.|
|Non-Qubes-Whonix ™||Follow the installation instructions below.||In Whonix ™, skip the following "Add Whonix ™ repository" step since it is already enabled by default.|
|Qubes OS [archive] Debian based VMs||Follow these LKRG Qubes instructions.||See footnote. |
|Qubes-Whonix ™||Follow these LKRG Qubes-Whonix ™ instructions.||See footnote. |
|Other Linux distributions||LKRG is available for most Linux distributions.||Follow the installation instructions for non-Debian distributions on the official LKRG homepage [archive].|
Add Whonix ™ repository.
The LKRG installation is complete. 
It is recommended to review optional hardening and other entries below, but this is not required.
It might be possible to further improve the security provided by LKRG though LKRG configuration, but this can potentially lead to decreased system stability. Please refer to upstream sysctl configuration documentation [archive] chapter
Whonix specific LKRG Configuration Tips
Note: All the possible configuration changes in this section are optional.
Table: Whonix specific LKRG Configuration Tips
|Block Module Loading||Users which use |
|View Current Runtime Configuration||To view the current configuration, run.
sudo sysctl -a | grep lkrg
|Temporary Runtime Configuration Changes||To temporarily change configuration settings until next reboot, run.
sudo sysctl -w lkrg.profile_enforce=3
|Persistent Configuration Changes||To enable any (LKRG) sysctl persistently after reboot.
(Qubes-Whonix ™: In TemplateVM)
Paste (LKRG) sysctl settings such as.
The procedure of persistently changing sysctl settings is complete.
|Hardening - UMH Validation and Enforcement||Better do not use |
Once LKRG has been installed, little effort is required since it will protect the kernel without the user's knowledge and/or interaction. However, it is sensible to check that LKRG is running correctly and to monitor system logs for any suspicious entries. Check this entry at a later date for any additional recommendations.
To check systemd journal log for kernel messages by LKRG, run.
sudo journalctl -b | grep lkrg
To keep watching systemd journal log for new LKRG messages, run.
sudo journalctl -b -f | grep lkrg
At this stage a graphical user interface (GUI) is not provided that can proactively inform users who fail to analyze the systemd journal log for relevant LKRG messages. A GUI or popup notification might be developed later on -- help is most welcome.
Quote upstream readme.
To account for the hopefully unlikely but really unfortunate event that some incompatibility between the Linux kernel or other components of the system and LKRG isn't detected prior to LKRG installation yet leads to system crash on bootup, we've included support for the "
nolkrg" kernel parameter in the systemd unit file for LKRG. Thus, if you've followed the above installation procedure for LKRG with systemd, you may disable LKRG by specifying "
nolkrg" on the kernel command-line via your bootloader. The system should then boot up without LKRG, and thus without triggering the problem, letting you fix it.
dpkg -l | grep linux-image
ii linux-image-4.19.0-6-amd64 4.19.67-2+deb10u2 amd64 Linux 4.19 for 64-bit PCs (signed) ii linux-image-amd64
dpkg -l | grep linux-head
ii linux-headers-4.19.0-6-amd64 4.19.67-2+deb10u2 amd64 Header files for Linux 4.19.0-6-amd64 ii linux-headers-4.19.0-6-common 4.19.67-2+deb10u2 all Common header files for Linux 4.19.0-6 ii linux-headers-amd64
sudo modinfo p_lkrg
filename: /lib/modules/4.19.0-6-amd64/updates/dkms/p_lkrg.ko license: GPL v2 description: pi3's Linux kernel Runtime Guard author: Adam 'pi3' Zabrocki (http://pi3.com.pl) depends: usbcore retpoline: Y name: p_lkrg vermagic: 4.19.0-6-amd64 SMP mod_unload modversions parm: p_init_log_level:Logging level init value [1 (alive) is default] (uint)
sudo dkms status
lkrg, 0.7, 4.19.0-6-amd64, x86_64: installed
- Linux Kernel Runtime Guard (LKRG) - Linux Kernel Runtime Integrity Checking and Exploit Detection [archive]
- LKRG Website [archive]
- LKRG Source Code git Repository [archive]
- LKRG Presentation Video [archive]
- Old LKRG Presentation Slides CONFidence 2018 [archive]
- Updated LKRG Presentation Slides OSTconf 2020 [archive]
- LKRG Threat Model [archive]
- LKRG Mailing List [archive]
- LKRG Wiki [archive]
- https://www.openwall.com/lists/lkrg-users/2020/02/28/1 [archive]
Upstream Mailing List Discussions
- LKRG compilation hardening flags, checksec, hardening-check [archive]
- LKRG packagers / downstream wishlist [archive] (signed git commits, signed git tags, version numbers, logo)
- module loading / systemd bug report / suggestion [archive]
- LKRG kills VirtualBox host VMs [archive]
- announcement of this LKRG Debian package on upstream LKRG mailing list [archive]
- LKRG module parameters [archive]
- Compiling LKRG static into the Kernel / Loading LKRG kernel module as early as possible or after other modules? [archive]
- security-misc [archive]: Inspired by the Kernel Self Protection Project (KSPP [archive]). This package implements most if not all recommended Linux kernel settings (sysctl) and kernel parameters set by the KSPP.
- Hardened Malloc [archive]: A hardened memory allocator which can be used with many applications to increase security.
- grub-live [archive]: Boot your existing, installed Debian Host into Live Mode.
- Hardened VM Kernel [archive] (in development): A hardened kernel configuration optimized for virtual machines, see: development discussion [archive].
- System Hardening Checklist
- SecBrowser ™: A Security-hardened, Non-anonymous Browser
- https://openwall.info/wiki/p_lkrg/Main#Donation [archive]
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944476 [archive]
- make Linux Kernel Runtime Guard (LKRG) easily available in Qubes [archive]
- Only Intel and amd64 are supported at present, see: https://www.openwall.com/lists/lkrg-users/2018/07/31/3 [archive]
- Note that LKRG versioning is based on upstream's git master branch intention to remain in the "prerelease" stage. Quote Adam Zabrocki https://www.openwall.com/lists/lkrg-users/2019/11/11/1 [archive] We're trying to keep master branch stable and let's say in "prerelease" stage :)
Feature of lkrg-loader [archive]. Debian package specific. lkrg-loader not part of LKRG upstream. Only available in Whonix developers repository for now. Requires also pacakge
lkrg-loaderbeing installed. Might change.
sudo mkdir -p /etc/lkrg-loader_pre.d
lkrg_opt+=" log_level=4 "
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)