gedankensplitter/linux_hardening.md

---
keywords:
  - IT
  - filesystem integritiy
  - authentic filesystem
---
# secureboot

Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.

- systemctl reboot --firmware
 - bootctl
 - efibootmgr -v
 - mokutil --sb-state
 - mokutil --list-enrolled
 - mokutil --enable-validation

## ubuntu
ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot with MS keys and this needs to be active through booting the installer
# cryptsetup luks
crypsetup luksDump /dev/sdaX
cryptsetup luksChangeKey /dev/sdaX
cryptsetup luksErase

ressource:
http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/

##  lkrg - linux kernel runtime guard
archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm

## data integrity aka bitrot
General kernel awareness:
https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst
the solution so far to omit endusers hardware limitations (like ECC RAM *grml*)
https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst
So it should be more or less equal to use integrity with or without encryption:
 - RAID1 preferred
 - heavily perfomance issues caused by the journal ( none or bitmap as dangerous alternative)
https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-crypt.rst
and maybe this gets into production
 - T13/ATA External Path Protection

the used strcuture to get this done:
block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs
block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs

- [ ] cryptsetup benchmark
- [ ] GPT formatted block devices to get recognized properly under windows
- [ ] complete header backup
- [ ] block device sector size 
- [ ] block device support for SCT/ERC `smartctl -l scterc /dev/sdX`
- [ ] Block device support for write-verify  `smartctl -R1 /dev/sdX`
- [ ] blcok device support ``hdparm --dco-identify /dev/sdX`

Western Digital Time Limited Error Recovery (TLER)
Seagate  Error Recovery Control (ERC)
Samsung/Hitachi Command Completion Time Limit (CCTL)


Odroid HC1 HDD
```
smartctl -a /dev/sda | grep SCT 
Model Family:     Seagate Samsung SpinPoint M9T                                                    
Device Model:     ST1500LM006 HN-M151RAD                                                           
Serial Number:    S34QJ9CG700688                                                                   
LU WWN Device Id: 5 0004cf 210088b47                                                                                                                                                                  
Firmware Version: 2BC10008                                                                         
User Capacity:    1.500.301.910.016 bytes [1,50 TB]                                                
Sector Sizes:     512 bytes logical, 4096 bytes physical                                           
Rotation Rate:    5400 rpm                                                                         
Form Factor:      2.5 inches                                                                       
Device is:        In smartctl database [for details use: -P show]                                                                                                                                     
ATA Version is:   ATA8-ACS T13/1699-D revision 6                                                   
SATA Version is:  SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)                                
Local Time is:    Thu Jun  9 21:48:00 2022 CEST                                                    
SMART support is: Available - device has SMART capability.                                         
SMART support is: Enabled                                               
[..]
SCT capabilities:              (0x003f) SCT Status supported.
                                        SCT Error Recovery Control supported.
                                        SCT Feature Control supported.
                                        SCT Data Table supported.
    
```
Lenovo S440 HDD
```
=== START OF INFORMATION SECTION ===
Model Family:     Seagate Laptop SSHD
Device Model:     ST500LM000-SSHD-8GB
Serial Number:    W762L1TL
LU WWN Device Id: 5 000c50 07cb8f1cc
Firmware Version: LIV5
User Capacity:    500.107.862.016 bytes [500 GB]
Sector Sizes:     512 bytes logical, 4096 bytes physical
Rotation Rate:    5400 rpm
Form Factor:      2.5 inches
Device is:        In smartctl database 7.3/5319
ATA Version is:   ATA8-ACS, ACS-3 T13/2161-D revision 3b
SATA Version is:  SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is:    Thu Jun  9 22:02:40 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

sudo smartctl -a /dev/sda | grep SCT
SCT capabilities: 	       (0x1081)	SCT Status supported.
```
```
Model Family:     Toshiba 2.5" HDD MQ01ABD...
Device Model:     TOSHIBA MQ01ABD100
Serial Number:    24RNSMGLS
LU WWN Device Id: 5 000039 55610b282
Firmware Version: AX001U
User Capacity:    1.000.204.886.016 bytes [1,00 TB]
Sector Sizes:     512 bytes logical, 4096 bytes physical
Rotation Rate:    5400 rpm
Form Factor:      2.5 inches
Device is:        In smartctl database 7.3/5319
ATA Version is:   ATA8-ACS (minor revision not indicated)
SATA Version is:  SATA 2.6, 3.0 Gb/s (current: 3.0 Gb/s)
Local Time is:    Fri Jun 10 19:12:49 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
AAM feature is:   Unavailable
APM level is:     128 (minimum power consumption without standby)
Rd look-ahead is: Enabled
Write cache is:   Enabled
DSN feature is:   Unavailable
ATA Security is:  Disabled, NOT FROZEN [SEC1]
Wt Cache Reorder: Unknown
```

```
=== START OF INFORMATION SECTION ===
Model Family:     Crucial/Micron Client SSDs
Device Model:     CT1000MX500SSD1
Serial Number:    2211E619654F
LU WWN Device Id: 5 00a075 1e619654f
Firmware Version: M3CR043
User Capacity:    1.000.204.886.016 bytes [1,00 TB]
Sector Sizes:     512 bytes logical, 4096 bytes physical
Rotation Rate:    Solid State Device
Form Factor:      2.5 inches
TRIM Command:     Available
Device is:        In smartctl database 7.3/5319
ATA Version is:   ACS-3 T13/2161-D revision 5
SATA Version is:  SATA 3.3, 6.0 Gb/s (current: 3.0 Gb/s)
Local Time is:    Fri Jun 10 19:20:34 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
AAM feature is:   Unavailable
APM level is:     254 (maximum performance)
Rd look-ahead is: Enabled
Write cache is:   Enabled
DSN feature is:   Unavailable
ATA Security is:  Disabled, NOT FROZEN [SEC1]
Wt Cache Reorder: Unknown

```

RPI2
```
=== START OF INFORMATION SECTION ===                                                                                    
Model Family:     Western Digital Blue Mobile (SMR)                                                                     
Device Model:     WDC WD10SPZX-24Z10T0                                                                                  
Serial Number:    WD-WX41A485FYC1                                                                                       
LU WWN Device Id: 5 0014ee 6b3473413                                                                                    
Firmware Version: 01.01A01                                                                                              
User Capacity:    1,000,204,886,016 bytes [1.00 TB]                                                                     
Sector Sizes:     512 bytes logical, 4096 bytes physical                                                                
Rotation Rate:    5400 rpm                                                                                              
Form Factor:      2.5 inches                                                                                            
TRIM Command:     Available, deterministic                                                                              
Device is:        In smartctl database [for details use: -P show]                                                       
ATA Version is:   ACS-3 T13/2161-D revision 5                                                                           
SATA Version is:  SATA 3.1, 6.0 Gb/s (current: 6.0 Gb/s)                                                                
Local Time is:    Tue Jun 14 21:25:10 2022 CEST             
SMART support is: Available - device has SMART capability.                                                              
SMART support is: Enabled                                   
AAM feature is:   Unavailable
APM level is:     254 (maximum performance)
Rd look-ahead is: Enabled
Write cache is:   Enabled
DSN feature is:   Unavailable
ATA Security is:  Disabled, NOT FROZEN [SEC1]
Wt Cache Reorder: Enabled

smartctl -a /dev/sda | grep SCT
SCT capabilities:              (0x303d) SCT Status supported.
                                        SCT Error Recovery Control supported.
                                        SCT Feature Control supported.
                                        SCT Data Table supported.

```
ERC settings: `smartctl -l scterc /dev/sda` or setting `smartctl -l scterc,150,150 /dev/sda`

#### related issues
- https://cateee.net/lkddb/web-lkddb/BLK_DEV_INTEGRITY.html
##### cryptsetup
 - https://gitlab.com/cryptsetup/cryptsetup/-/issues/632 xxHASH64 support, needs separate `--tag-size 8`
 - https://gitlab.com/cryptsetup/cryptsetup/-/issues/668 dm-integrity documentation with setting recommendation
 - https://gitlab.com/cryptsetup/cryptsetup/-/issues/620 systemd LUKS key mgmnt integration
 - https://gitlab.com/cryptsetup/cryptsetup/-/issues/573 issues with caching the flag "recalculating"
###### ATA background
 - https://raid.wiki.kernel.org/index.php/Drive_Data_Sheets#Non-Raid_drives 
 - https://www.smartmontools.org/wiki/FAQ#WhatiserrorrecoverycontrolERCandwhyitisimportanttoenableitfortheSATAdisksinRAID
##### dm-integrity
 - https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html
 - https://man7.org/linux/man-pages/man8/integritysetup.8.html
md-integrity 2022-06-09 12:41:39 +00:00			`---`
			`keywords:`
			`- IT`
			`- filesystem integritiy`
			`- authentic filesystem`
			`---`
linux_hardening 2022-03-02 15:17:56 +00:00			`# secureboot`

			`Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.`

			`- systemctl reboot --firmware`
			`- bootctl`
			`- efibootmgr -v`
			`- mokutil --sb-state`
			`- mokutil --list-enrolled`
			`- mokutil --enable-validation`

			`## ubuntu`
unknown 2022-06-09 19:50:05 +00:00			`ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot with MS keys and this needs to be active through booting the installer`
linux_hardening 2022-03-02 15:17:56 +00:00			`# cryptsetup luks`
			`crypsetup luksDump /dev/sdaX`
			`cryptsetup luksChangeKey /dev/sdaX`
			`cryptsetup luksErase`

			`ressource:`
unknown 2022-06-09 19:50:05 +00:00			`http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/`

			`## lkrg - linux kernel runtime guard`
working 2022-06-09 19:51:54 +00:00			`archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm`

md-integrity 2022-06-09 12:41:39 +00:00			`## data integrity aka bitrot`
			`General kernel awareness:`
			`https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst`
			`the solution so far to omit endusers hardware limitations (like ECC RAM grml)`
			`https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst`
			`So it should be more or less equal to use integrity with or without encryption:`
			`- RAID1 preferred`
			`- heavily perfomance issues caused by the journal ( none or bitmap as dangerous alternative)`
			`https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-crypt.rst`
minor 2022-07-27 11:58:20 +00:00			`and maybe this gets into production`
			`- T13/ATA External Path Protection`
md-integrity 2022-06-09 12:41:39 +00:00
			`the used strcuture to get this done:`
			`block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs`
			`block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs`

			`- [ ] cryptsetup benchmark`
			`- [ ] GPT formatted block devices to get recognized properly under windows`
			`- [ ] complete header backup`
			`- [ ] block device sector size`
minor 2022-07-27 11:58:20 +00:00			- [ ] block device support for SCT/ERC `smartctl -l scterc /dev/sdX`
			- [ ] Block device support for write-verify `smartctl -R1 /dev/sdX`
			- [ ] blcok device support ``hdparm --dco-identify /dev/sdX`
minor edit 2022-06-15 13:07:50 +00:00
minor 2022-07-27 11:58:20 +00:00			`Western Digital Time Limited Error Recovery (TLER)`
			`Seagate Error Recovery Control (ERC)`
			`Samsung/Hitachi Command Completion Time Limit (CCTL)`
minor edit 2022-06-15 13:07:50 +00:00

			`Odroid HC1 HDD`
sct result 2022-06-09 20:04:34 +00:00			```
			`smartctl -a /dev/sda \| grep SCT`
			`Model Family: Seagate Samsung SpinPoint M9T`
			`Device Model: ST1500LM006 HN-M151RAD`
			`Serial Number: S34QJ9CG700688`
			`LU WWN Device Id: 5 0004cf 210088b47`
			`Firmware Version: 2BC10008`
			`User Capacity: 1.500.301.910.016 bytes [1,50 TB]`
			`Sector Sizes: 512 bytes logical, 4096 bytes physical`
			`Rotation Rate: 5400 rpm`
			`Form Factor: 2.5 inches`
			`Device is: In smartctl database [for details use: -P show]`
			`ATA Version is: ATA8-ACS T13/1699-D revision 6`
			`SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)`
			`Local Time is: Thu Jun 9 21:48:00 2022 CEST`
			`SMART support is: Available - device has SMART capability.`
			`SMART support is: Enabled`
			`[..]`
			`SCT capabilities: (0x003f) SCT Status supported.`
			`SCT Error Recovery Control supported.`
			`SCT Feature Control supported.`
			`SCT Data Table supported.`

			```
minor edit 2022-06-15 13:07:50 +00:00			`Lenovo S440 HDD`
sct result 2022-06-09 20:04:34 +00:00			```
			`=== START OF INFORMATION SECTION ===`
			`Model Family: Seagate Laptop SSHD`
			`Device Model: ST500LM000-SSHD-8GB`
			`Serial Number: W762L1TL`
			`LU WWN Device Id: 5 000c50 07cb8f1cc`
			`Firmware Version: LIV5`
			`User Capacity: 500.107.862.016 bytes [500 GB]`
			`Sector Sizes: 512 bytes logical, 4096 bytes physical`
			`Rotation Rate: 5400 rpm`
			`Form Factor: 2.5 inches`
			`Device is: In smartctl database 7.3/5319`
			`ATA Version is: ATA8-ACS, ACS-3 T13/2161-D revision 3b`
			`SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)`
			`Local Time is: Thu Jun 9 22:02:40 2022 CEST`
			`SMART support is: Available - device has SMART capability.`
			`SMART support is: Enabled`

			`sudo smartctl -a /dev/sda \| grep SCT`
			`SCT capabilities: (0x1081) SCT Status supported.`
			```
minor 2022-06-19 13:25:59 +00:00			```
			`Model Family: Toshiba 2.5" HDD MQ01ABD...`
			`Device Model: TOSHIBA MQ01ABD100`
			`Serial Number: 24RNSMGLS`
			`LU WWN Device Id: 5 000039 55610b282`
			`Firmware Version: AX001U`
			`User Capacity: 1.000.204.886.016 bytes [1,00 TB]`
			`Sector Sizes: 512 bytes logical, 4096 bytes physical`
			`Rotation Rate: 5400 rpm`
			`Form Factor: 2.5 inches`
			`Device is: In smartctl database 7.3/5319`
			`ATA Version is: ATA8-ACS (minor revision not indicated)`
			`SATA Version is: SATA 2.6, 3.0 Gb/s (current: 3.0 Gb/s)`
			`Local Time is: Fri Jun 10 19:12:49 2022 CEST`
			`SMART support is: Available - device has SMART capability.`
			`SMART support is: Enabled`
			`AAM feature is: Unavailable`
			`APM level is: 128 (minimum power consumption without standby)`
			`Rd look-ahead is: Enabled`
			`Write cache is: Enabled`
			`DSN feature is: Unavailable`
			`ATA Security is: Disabled, NOT FROZEN [SEC1]`
			`Wt Cache Reorder: Unknown`
			```
md-integrity 2022-06-09 12:41:39 +00:00
minor 2022-06-19 13:25:59 +00:00			```
			`=== START OF INFORMATION SECTION ===`
			`Model Family: Crucial/Micron Client SSDs`
			`Device Model: CT1000MX500SSD1`
			`Serial Number: 2211E619654F`
			`LU WWN Device Id: 5 00a075 1e619654f`
			`Firmware Version: M3CR043`
			`User Capacity: 1.000.204.886.016 bytes [1,00 TB]`
			`Sector Sizes: 512 bytes logical, 4096 bytes physical`
			`Rotation Rate: Solid State Device`
			`Form Factor: 2.5 inches`
			`TRIM Command: Available`
			`Device is: In smartctl database 7.3/5319`
			`ATA Version is: ACS-3 T13/2161-D revision 5`
			`SATA Version is: SATA 3.3, 6.0 Gb/s (current: 3.0 Gb/s)`
			`Local Time is: Fri Jun 10 19:20:34 2022 CEST`
			`SMART support is: Available - device has SMART capability.`
			`SMART support is: Enabled`
			`AAM feature is: Unavailable`
			`APM level is: 254 (maximum performance)`
			`Rd look-ahead is: Enabled`
			`Write cache is: Enabled`
			`DSN feature is: Unavailable`
			`ATA Security is: Disabled, NOT FROZEN [SEC1]`
			`Wt Cache Reorder: Unknown`

			```

			`RPI2`
			```
			`=== START OF INFORMATION SECTION ===`
			`Model Family: Western Digital Blue Mobile (SMR)`
			`Device Model: WDC WD10SPZX-24Z10T0`
			`Serial Number: WD-WX41A485FYC1`
			`LU WWN Device Id: 5 0014ee 6b3473413`
			`Firmware Version: 01.01A01`
			`User Capacity: 1,000,204,886,016 bytes [1.00 TB]`
			`Sector Sizes: 512 bytes logical, 4096 bytes physical`
			`Rotation Rate: 5400 rpm`
			`Form Factor: 2.5 inches`
			`TRIM Command: Available, deterministic`
			`Device is: In smartctl database [for details use: -P show]`
			`ATA Version is: ACS-3 T13/2161-D revision 5`
			`SATA Version is: SATA 3.1, 6.0 Gb/s (current: 6.0 Gb/s)`
			`Local Time is: Tue Jun 14 21:25:10 2022 CEST`
			`SMART support is: Available - device has SMART capability.`
			`SMART support is: Enabled`
			`AAM feature is: Unavailable`
			`APM level is: 254 (maximum performance)`
			`Rd look-ahead is: Enabled`
			`Write cache is: Enabled`
			`DSN feature is: Unavailable`
			`ATA Security is: Disabled, NOT FROZEN [SEC1]`
			`Wt Cache Reorder: Enabled`

			`smartctl -a /dev/sda \| grep SCT`
			`SCT capabilities: (0x303d) SCT Status supported.`
			`SCT Error Recovery Control supported.`
			`SCT Feature Control supported.`
			`SCT Data Table supported.`

			```
radare2 2022-06-13 14:37:17 +00:00			ERC settings: `smartctl -l scterc /dev/sda` or setting `smartctl -l scterc,150,150 /dev/sda`

md-integrity 2022-06-09 12:41:39 +00:00			`#### related issues`
minor 2022-07-27 11:58:20 +00:00			`- https://cateee.net/lkddb/web-lkddb/BLK_DEV_INTEGRITY.html`
			`##### cryptsetup`
md-integrity 2022-06-09 12:41:39 +00:00			- https://gitlab.com/cryptsetup/cryptsetup/-/issues/632 xxHASH64 support, needs separate `--tag-size 8`
			`- https://gitlab.com/cryptsetup/cryptsetup/-/issues/668 dm-integrity documentation with setting recommendation`
			`- https://gitlab.com/cryptsetup/cryptsetup/-/issues/620 systemd LUKS key mgmnt integration`
			`- https://gitlab.com/cryptsetup/cryptsetup/-/issues/573 issues with caching the flag "recalculating"`
minor 2022-07-27 11:58:20 +00:00			`###### ATA background`
working 2022-06-09 19:51:54 +00:00			`- https://raid.wiki.kernel.org/index.php/Drive_Data_Sheets#Non-Raid_drives`
minor 2022-06-19 13:28:02 +00:00			`- https://www.smartmontools.org/wiki/FAQ#WhatiserrorrecoverycontrolERCandwhyitisimportanttoenableitfortheSATAdisksinRAID`
minor 2022-07-27 11:58:20 +00:00			`##### dm-integrity`
			`- https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html`
			`- https://man7.org/linux/man-pages/man8/integritysetup.8.html`