OpenWrt Forum Archive

Topic: Questions about OpenWRT CC Hardened

The content of this topic has been archived on 20 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I've recently noticed the news about CC-rc1 being released and in the changelog there was a paragraph about some new security features. In particular it is claimed that there is a new package signing architecture, support for (chroot) jails and support for hardened builds. Normally I love hearing about new security features being implemented, but I've got some questions about them and the roadmap because the information is rather scarce.

News post: https://forum.openwrt.org/viewtopic.php?id=57453

* Improved Security Features
    - Rewritten package signing architecture based on ed25519
    - Added support for jails
    - Added support for hardened builds

So if I understand this correctly, OpenWRT will finally add support for package signing so that whenever an update is performed via opkg, we can be sure that the downloaded packages are in fact authentic? How are the hardened builds going to work? Will we have to build all packages ourselves with some added compiler options or will there be a repository for hardened packages? And what hardening features does this build bring - stack/heap canaries, ASLR, DEP/NX/XD, RBAC, etc - is there a list?

Thanks!

Nobody cares about added security? C'mon, people. The NSA are watching!

I am more concern about performance.
Right now OpenWRT is already not that fast, what will be the performance impact with security overhead checks?

I felt like bumping the topic since i share the same type of questions.
Has anyone made some builds and benchmarks ?

As far as I can tell hardened builds options are present in CC, if you want a hardened build just recompile OpenWrt for your appliances. I started maintaining hardened builds for some of my routers.

Also, I noticed in Trunk that hardening options got enabled by default now. I'd rather choose security over performance in some cases at least for capable devices.

I'd be interested in more info on how to actually build hardened Chaos Calmer builds, i.e. which options should be enabled in menuconfig and what caveats you have to be aware of when doing so? E.g. are there any know packages that are known not to work with hardened builds?

at least in   make menuconfig  under [Global build settings] enable these for CC:

  [ * ] Enable gcc format-security
  User space Stack-Smashing Protection ( Regular )
  Kernel space Stack-Smashing Protection ( Regular )
  Enable buffer-overflows detection (FORTIFY_SOURCE) ( Aggressive )
  Enable RELRO protection ( Full )

and in    make kernel_menuconfig  under [General setup] enable :

Stack Protector buffer overflow detection (Regular)

If you follow Trunk choose  Strong  instead of  Regular  for Kernel+User space Stack-Smashing Protection.

I noticed no slow downs, all my devices run reliably and all packages work just fine (Wifi USB support / NTFS-3G / Samba / TOR / DNSCrypt / ..)

Also, I optimize the Kernel for size which compensate for the slight increase of built images size.

Thanks medber.

I built and flashed my first hardened OpenWrt Chaos Calmer image yesterday. Seems to work fine so far. The only thing that wasn't straightforward was the required change to the kernel configuration, since that can't be done using the usual OpenWrt config or diffconfig files. I had to adjust my build script for that as I run my builds automated and non-interactively. Anyway, the logs look good. I didn't notice any slowdown or so (well, I wasn't expecting that anyway because my router is only under light load most of the time, so I'm not close to any bottleneck performance-wise).

@medber: thanks for these instructions.

Hi, I tried this but I'm getting this error message:

cp -fpR /home/florent/homeext/OpenWRT/CC/openwrt/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/lib/libssp.so.* /home/florent/homeext/OpenWRT/CC/openwrt/build_dir/target-mips_34kc_uClibc-0.9.33.2/toolchain/ipkg-ar71xx/libssp/lib/
cp: cannot stat '/home/florent/homeext/OpenWRT/CC/openwrt/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/lib/libssp.so.*': No such file or directory
make[3]: *** [/home/florent/homeext/OpenWRT/CC/openwrt/bin/ar71xx/packages/base/libssp_4.8-linaro-1_ar71xx.ipk] Error 1
make[3]: Leaving directory `/home/florent/homeext/OpenWRT/CC/openwrt/package/libs/toolchain'
make[2]: *** [package/libs/toolchain/compile] Error 2
make[2]: Leaving directory `/home/florent/homeext/OpenWRT/CC/openwrt'
make[1]: *** [/home/florent/homeext/OpenWRT/CC/openwrt/staging_dir/target-mips_34kc_uClibc-0.9.33.2/stamp/.package_compile] Error 2
make[1]: Leaving directory `/home/florent/homeext/OpenWRT/CC/openwrt'
make: *** [world] Erreur 2

I didn't customized any part of the Chaos Calmer toolchain configuration except the options you mentionned, I just selected a specific target for my router and minor pkgs things.

Is there something obvious I forgot?

(Last edited by el_goretto on 13 May 2016, 10:37)

The discussion might have continued from here.