coelner/gedankensplitter
1
0
Fork 0
Code Pull Requests Releases Activity

working

Browse Source
This commit is contained in:
coelner 2022-06-09 21:51:54 +02:00
commit 4789723fb9
1 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
linux_hardening.md
View File

@ -1,3 +1,9 @@
---
keywords:
- IT
- filesystem integritiy
- authentic filesystem
---
# secureboot
Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.
@ -20,4 +26,31 @@ ressource:
http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/
## lkrg - linux kernel runtime guard
archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm
archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm
## data integrity aka bitrot
General kernel awareness:
https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst
the solution so far to omit endusers hardware limitations (like ECC RAM *grml*)
https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst
So it should be more or less equal to use integrity with or without encryption:
- RAID1 preferred
- heavily perfomance issues caused by the journal ( none or bitmap as dangerous alternative)
https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-crypt.rst
the used strcuture to get this done:
block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs
block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs
- [ ] cryptsetup benchmark
- [ ] GPT formatted block devices to get recognized properly under windows
- [ ] complete header backup
- [ ] block device sector size
- [ ] blcok device support for SCT/ERC
#### related issues
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/632 xxHASH64 support, needs separate `--tag-size 8`
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/668 dm-integrity documentation with setting recommendation
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/620 systemd LUKS key mgmnt integration
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/573 issues with caching the flag "recalculating"
- https://raid.wiki.kernel.org/index.php/Drive_Data_Sheets#Non-Raid_drives