From d8450922c6b95c5a485e0506383c3f5c64de3c79 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 16 May 2021 01:53:33 -0400
Subject: [PATCH] provide some details on kernel hardening

---
 static/features.html | 38 ++++++++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)

diff --git a/static/features.html b/static/features.html
index 30e8165c..c75a9366 100644
--- a/static/features.html
+++ b/static/features.html
@@ -113,10 +113,40 @@
                     musl malloc implementation</a> which offers substantially better security than musl's
                     previous malloc while still having minimal memory usage and code size.</li>
                     <li>Hardened compiler toolchain</li>
-                    <li>Hardened kernel</li>
-                    <li>4-level page tables are enabled on arm64 to provide a substantially larger
-                    address space with significantly higher entropy Address Space Layout
-                    Randomization (ASLR)</li>
+                    <li>
+                        Hardened kernel
+                        <ul>
+                            <li>Support for dynamically loaded kernel modules is disabled and a
+                            the minimal set of modules for the device model are built into the
+                            kernel to substantially improve the granularity of Control Flow
+                            Integrity (CFI) and reduce attack surface.</li>
+                            <li>4-level page tables are enabled on arm64 to provide a much larger
+                            address space (48-bit instead of 39-bit) with significantly higher
+                            entropy Address Space Layout Randomization (33-bit instead of
+                            24-bit).</li>
+                            <li>Random canaries with a leading zero are added to the kernel heap
+                            (slub) to block C string overflows, absorb small overflows and detect
+                            linear overflows or other heap corruption when the canary value is
+                            checked (on free, copies to/from userspace, etc.).</li>
+                            <li>Memory is wiped (zeroed) as soon as it's released in both the
+                            low-level kernel page allocator and higher level kernel heap allocator
+                            (slub). This substantially reduces the lifetime of sensitive data in
+                            memory, mitigates use-after-free vulnerabilities and makes most
+                            uninitialized data usage vulnerabilities harmless. Without our
+                            changes, memory that's released retains data indefinitely until the
+                            memory is handed out for other uses and gets partially or fully
+                            overwritten by new data.</li>
+                            <li>Kernel stack allocations are zeroed to make most uninitialized
+                            data usage vulnerabilities harmless.</li>
+                            <li>Assorted attack surface reduction through disabling features or
+                            setting up infrastructure to dynamically enable/disable them only as
+                            needed (perf, ptrace).</li>
+                            <li>Assorted upstream hardening features are enabled, including many
+                            which we played a part in developing and landing upstream as part of
+                            our linux-hardened project (which we intend to revive as a more active
+                            project again).</li>
+                        </ul>
+                    </li>
                     <li>Prevention of dynamic native code execution in-memory or via the filesystem
                     for the base OS without going via the package manager, etc.</li>
                     <li>Filesystem access hardening</li>