lkrg-module: Add Linux Kernel Runtime Guard

For more info see: https://github.com/openwall/lkrg Add to local.conf: IMAGE_INSTALL_append = " kernel-module-lkrg" Need these kconfig options enabled: CONFIG_KALLSYMS_ALL=y CONFIG_JUMP_LABEL=y CONFIG_DEBUG_KERNEL=y To invoke module: sudo insmod {path-to-modules}/p_lkrg.ko kint_enforce=1 Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2021-04-14 01:36:34 +0000
committer: Armin Kuster <akuster808@gmail.com> 2021-04-14 13:49:47 +0000
commit: ca9264b1e1b5a8b84bf95f5a4eb93f2947b3b75c (patch)
tree: eb1085c5320e2b54b5d7d37728c41b0a2f5f4dd5 /recipes-kernel
parent: 879330ae3823ed005910d980027e1de7d95f466a (diff)
download: meta-security-ca9264b1e1b5a8b84bf95f5a4eb93f2947b3b75c.tar.gz
2 files changed, 106 insertions, 0 deletions
diff --git a/recipes-kernel/lkrg/files/makefile_cleanup.patch b/recipes-kernel/lkrg/files/makefile_cleanup.patch
new file mode 100644
index 0000000..106dc3f
--- /dev/null
+++ b/recipes-kernel/lkrg/files/makefile_cleanup.patch
@@ -0,0 +1,73 @@
+Upstream-Status: Pending
+This needs more work. Its my starting point.
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+Index: lkrg-0.9.0/Makefile
+===================================================================
+--- lkrg-0.9.0.orig/Makefile
+++ lkrg-0.9.0/Makefile
+@@ -4,28 +4,10 @@
+ # Author:
+ #  - Adam 'pi3' Zabrocki (http://pi3.com.pl)
+ ##
+-
+-P_OUTPUT = output
+ P_PWD ?= $(shell pwd)
+-P_KVER ?= $(shell uname -r)
+-P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh
+-TARGET := p_lkrg
+-ifneq ($(KERNELRELEASE),)
+-    KERNEL := /lib/modules/$(KERNELRELEASE)/build
+-else
+-    ## KERNELRELEASE not set.
+-    KERNEL := /lib/modules/$(P_KVER)/build
+-endif
+-
+-#
+-# Uncomment for debug compilation
+-#
+-# ccflags-m := -ggdb -DP_LKRG_DEBUG_BUILD -finstrument-functions
+-# ccflags-y := ${ccflags-m}
+-# p_lkrg-objs += src/modules/print_log/p_lkrg_debug_log.o
+ 
+-obj-m += $(TARGET).o
+-$(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \
+obj-m := p_lkrg.o
+p_lkrg-y := src/modules/ksyms/p_resolve_ksym.o \
+                   src/modules/hashing/p_lkrg_fast_hash.o \
+                   src/modules/comm_channel/p_comm_channel.o \
+                   src/modules/integrity_timer/p_integrity_timer.o \
+@@ -91,23 +73,14 @@ $(TARGET)-objs += src/modules/ksyms/p_re
+                   src/p_lkrg_main.o
+ 
+ 
+-all:
+-#      $(MAKE) -C $(KERNEL) M=$(P_PWD) modules CONFIG_DEBUG_SECTION_MISMATCH=y
+-       $(MAKE) -C $(KERNEL) M=$(P_PWD) modules
+-       mkdir -p $(P_OUTPUT)
+-       cp $(P_PWD)/$(TARGET).ko $(P_OUTPUT)
+-
+-install:
+-       $(MAKE) -C $(KERNEL) M=$(P_PWD) modules_install
+-       depmod -a
+-       $(P_PWD)/$(P_BOOTUP_SCRIPT) install
+ 
+-uninstall:
+-       $(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall
+modules:
+       $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules
+
+modules_install:
+       $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules_install
+ 
+ clean:
+-       $(MAKE) -C $(KERNEL) M=$(P_PWD) clean
+-       $(RM) Module.markers modules.order
+-       $(RM) $(P_PWD)/src/modules/kmod/client/kmod/Module.markers
+-       $(RM) $(P_PWD)/src/modules/kmod/client/kmod/modules.order
+-       $(RM) -rf $(P_OUTPUT)
+       rm -f *.o *~ core .depend .*.cmd *.ko *.mod.c
+       rm -f Module.markers Module.symvers modules.order
+       rm -rf .tmp_versions Modules.symvers
diff --git a/recipes-kernel/lkrg/lkrg-module_0.9.0.bb b/recipes-kernel/lkrg/lkrg-module_0.9.0.bb
new file mode 100644
index 0000000..dbc195d
--- /dev/null
+++ b/recipes-kernel/lkrg/lkrg-module_0.9.0.bb
@@ -0,0 +1,33 @@
+SUMMARY = "Linux Kernel Runtime Guard"
+DESCRIPTION="LKRG performs runtime integrity checking of the Linux \
+kernel and detection of security vulnerability exploits against the kernel."
+SECTION = "security"
+HOMEPAGE = "https://www.openwall.com/lkrg/"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d931f44a1f4be309bcdac742d7ed92f9"
+DEPENDS = "virtual/kernel elfutils"
+SRC_URI = "https://www.openwall.com/lkrg/lkrg-${PV}.tar.gz \
+           file://makefile_cleanup.patch "
+SRC_URI[sha256sum] = "a997e4d98962c359f3af163bbcfa38a736d2a50bfe35c15065b74cb57f8742bf"
+S = "${WORKDIR}/lkrg-${PV}"
+inherit module kernel-module-split
+MAKE_TARGETS = "modules"
+MODULE_NAME = "p_lkrg"
+module_do_install() {
+    install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}
+    install -m 0644 ${MODULE_NAME}.ko \
+    ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko
+}
+RPROVIDES_${PN} += "kernel-module-lkrg"
+COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
author	Armin Kuster <akuster808@gmail.com>	2021-04-14 01:36:34 +0000
committer	Armin Kuster <akuster808@gmail.com>	2021-04-14 13:49:47 +0000
commit	ca9264b1e1b5a8b84bf95f5a4eb93f2947b3b75c (patch)
tree	eb1085c5320e2b54b5d7d37728c41b0a2f5f4dd5 /recipes-kernel
parent	879330ae3823ed005910d980027e1de7d95f466a (diff)
download	meta-security-ca9264b1e1b5a8b84bf95f5a4eb93f2947b3b75c.tar.gz

diff --git a/recipes-kernel/lkrg/files/makefile_cleanup.patch b/recipes-kernel/lkrg/files/makefile_cleanup.patch new file mode 100644 index 0000000..106dc3f --- /dev/null +++ b/recipes-kernel/lkrg/files/makefile_cleanup.patch
@@ -0,0 +1,73 @@
	1	Upstream-Status: Pending
	2
	3	This needs more work. Its my starting point.
	4
	5	Signed-off-by: Armin Kuster <akuster808@gmail.com>
	6
	7	Index: lkrg-0.9.0/Makefile
	8	===================================================================
	9	--- lkrg-0.9.0.orig/Makefile
	10	+++ lkrg-0.9.0/Makefile
	11	@@ -4,28 +4,10 @@
	12	# Author:
	13	# - Adam 'pi3' Zabrocki (http://pi3.com.pl)
	14	##
	15	-
	16	-P_OUTPUT = output
	17	P_PWD ?= $(shell pwd)
	18	-P_KVER ?= $(shell uname -r)
	19	-P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh
	20	-TARGET := p_lkrg
	21	-ifneq ($(KERNELRELEASE),)
	22	- KERNEL := /lib/modules/$(KERNELRELEASE)/build
	23	-else
	24	- ## KERNELRELEASE not set.
	25	- KERNEL := /lib/modules/$(P_KVER)/build
	26	-endif
	27	-
	28	-#
	29	-# Uncomment for debug compilation
	30	-#
	31	-# ccflags-m := -ggdb -DP_LKRG_DEBUG_BUILD -finstrument-functions
	32	-# ccflags-y := ${ccflags-m}
	33	-# p_lkrg-objs += src/modules/print_log/p_lkrg_debug_log.o
	34
	35	-obj-m += $(TARGET).o
	36	-$(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \
	37	+obj-m := p_lkrg.o
	38	+p_lkrg-y := src/modules/ksyms/p_resolve_ksym.o \
	39	src/modules/hashing/p_lkrg_fast_hash.o \
	40	src/modules/comm_channel/p_comm_channel.o \
	41	src/modules/integrity_timer/p_integrity_timer.o \
	42	@@ -91,23 +73,14 @@ $(TARGET)-objs += src/modules/ksyms/p_re
	43	src/p_lkrg_main.o
	44
	45
	46	-all:
	47	-# $(MAKE) -C $(KERNEL) M=$(P_PWD) modules CONFIG_DEBUG_SECTION_MISMATCH=y
	48	- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules
	49	- mkdir -p $(P_OUTPUT)
	50	- cp $(P_PWD)/$(TARGET).ko $(P_OUTPUT)
	51	-
	52	-install:
	53	- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules_install
	54	- depmod -a
	55	- $(P_PWD)/$(P_BOOTUP_SCRIPT) install
	56
	57	-uninstall:
	58	- $(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall
	59	+modules:
	60	+ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules
	61	+
	62	+modules_install:
	63	+ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules_install
	64
	65	clean:
	66	- $(MAKE) -C $(KERNEL) M=$(P_PWD) clean
	67	- $(RM) Module.markers modules.order
	68	- $(RM) $(P_PWD)/src/modules/kmod/client/kmod/Module.markers
	69	- $(RM) $(P_PWD)/src/modules/kmod/client/kmod/modules.order
	70	- $(RM) -rf $(P_OUTPUT)
	71	+ rm -f .o ~ core .depend ..cmd .ko *.mod.c
	72	+ rm -f Module.markers Module.symvers modules.order
	73	+ rm -rf .tmp_versions Modules.symvers


diff --git a/recipes-kernel/lkrg/lkrg-module_0.9.0.bb b/recipes-kernel/lkrg/lkrg-module_0.9.0.bb new file mode 100644 index 0000000..dbc195d --- /dev/null +++ b/recipes-kernel/lkrg/lkrg-module_0.9.0.bb
@@ -0,0 +1,33 @@
	1	SUMMARY = "Linux Kernel Runtime Guard"
	2	DESCRIPTION="LKRG performs runtime integrity checking of the Linux \
	3	kernel and detection of security vulnerability exploits against the kernel."
	4	SECTION = "security"
	5	HOMEPAGE = "https://www.openwall.com/lkrg/"
	6	LICENSE = "GPLv2"
	7
	8	LIC_FILES_CHKSUM = "file://LICENSE;md5=d931f44a1f4be309bcdac742d7ed92f9"
	9
	10	DEPENDS = "virtual/kernel elfutils"
	11
	12	SRC_URI = "https://www.openwall.com/lkrg/lkrg-${PV}.tar.gz \
	13	file://makefile_cleanup.patch "
	14
	15	SRC_URI[sha256sum] = "a997e4d98962c359f3af163bbcfa38a736d2a50bfe35c15065b74cb57f8742bf"
	16
	17	S = "${WORKDIR}/lkrg-${PV}"
	18
	19	inherit module kernel-module-split
	20
	21	MAKE_TARGETS = "modules"
	22
	23	MODULE_NAME = "p_lkrg"
	24
	25	module_do_install() {
	26	install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}
	27	install -m 0644 ${MODULE_NAME}.ko \
	28	${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko
	29	}
	30
	31	RPROVIDES_${PN} += "kernel-module-lkrg"
	32
	33	COMPATIBLE_HOST = "(i.86\|x86_64\|arm\|aarch64).*-linux"