Kicksecure ™

Download

On Computer USB Installation Debian morph to Kicksecure Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

LKRG performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.

Deprecation in Kicksecure[edit]

Reasons:

• Maintenance effort: upstream not signing releases, which requires verification of a signed tarballs, which increases maintenance workload
• Not stable enough: Through testing and integration development in Kicksecure it has been determined that it will never be stable enough to be suitable for installation by default for all users.
• Security issues? No. Users can keep using LKRG until the next major release (Kicksecure version 18) but it will be unsupported.
• Future: Is there any chance this package will get unarchived, maintained again in Kicksecure? Yes. ETA (estimated time of arrival): None. No need to ask about it. Should that change, this wiki page will be updated and this wiki chapter deleted. When this might happen? At a later stage of Kicksecure development (when more essential issues such as ISO availability have been sorted out and when more development resources, contributors are available.
• Forum discussion: https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/67

Introduction[edit]

LKRG is Freedom Software / Open Source. ^[1]

The focus of this wiki page is to provide simplified user documentation and easy installation of LKRG in Debian, Kicksecure, Qubes, Whonix, and perhaps Debian-based Linux distributions. Installable from an APT repository.

This is a lightweight software fork and no changes will be made to the core of LKRG. Links to the official LKRG homepage and other original resources can be found here.

Download[edit]

FREE

LKRG Overview[edit]

This is only a very brief introduction, since LKRG technical details are not the focus of this page. Quote official LKRG homepage:

LKRG performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.

As controversial as this concept is, LKRG attempts to post-detect and hopefully promptly respond to unauthorized modifications to the running Linux kernel (integrity checking) or to credentials such as user IDs of the running processes (exploit detection). For process credentials, LKRG attempts to detect the exploit and take action before the kernel would grant access (such as open a file) based on the unauthorized credentials.

LKRG defeats many pre-existing exploits of Linux kernel vulnerabilities, and will likely defeat many future exploits (including of yet unknown vulnerabilities) that do not specifically attempt to bypass LKRG. While LKRG is bypassable by design, such bypasses tend to require more complicated and/or less reliable exploits.

To learn more about LKRG, interested readers can:

• review the official LKRG homepage
• watch the LKRG Presentation Video or LKRG Presentation Slides
• read the LKRG Wiki
• LKRG rootkit detection
• consult other Upstream Resources
• LKRG is also mentioned in Master's Thesis Effectiveness of Linux Rootkit Detection Tools

Performance Impact[edit]

Quote LKRG upstream:

No benchmarks have yet been performed, but it appears the performance penalty is around 2.5% for fully enabled LKRG.

Quote Phoronix.com, Benchmarking The Performance Overhead To The Linux Kernel Runtime Guard (page 5), Michael Larabel (code added):

Out of 90 benchmarks run comparing the performance hit on this Intel Core i9 9900KS from LKRG, having LKRG enabled led to around a 5% hit based on the geometric mean of all tests carried out. Granted, some real-world workloads like code compilation speed were impacted much more dramatically while test cases not involving I/O or other kernel operations tended to see no measurable difference in run-time performance.

LKRG Free vs LKRG Pro[edit]

Kicksecure developer Patrick Schleizer said:

Contacted upstream LKRG developers privately. To paraphrase: "We don’t oppose you packaging it. As long as LKRG exists, there will always be a free and libre version. There is no pro version yet. A hypothetical future pro version would not change that." In my words: "there won’t be a grsecurity alike situation where everything gets closed down".

Quote LKRG wiki:

We will likely use GPLv2 at least for LKRG free. We might or might not use a different license for LKRG Pro, if we ever make it.

Users who benefit from LKRG Free are encouraged to support its further development. However, at the time of writing they are not accepting donations: ^[2]

We used to accept donations for LKRG via Patreon, but we currently don't. Some of our former supporters are listed in the PATREON file in LKRG distribution tarballs.

Installation[edit]

Note: Users who require better security can Build the Linux Kernel Runtime Guard (LKRG) Debian Package from Source Code and verify software signatures before installation.

Logo	Host Operating System	Installation Instructions	Note
	Debian hosts	Follow the instructions below to install from the Kicksecure repository. [3]	If intending to run the VirtualBox host software (such as for running Kicksecure virtual machine (VM)) additional configuration is required. [4]
	Kicksecure	Follow the installation instructions below.	In Kicksecure, skip the following "Add Kicksecure repository" step since it is already enabled by default.
	Qubes OS Debian based VMs	Follow these LKRG Qubes instructions.	See footnote. [5]
	Kicksecure for Qubes	Follow these LKRG Kicksecure-Qubes instructions.	See footnote. [5]
	Other Linux distributions	LKRG is available for most Linux distributions.	Follow the installation instructions for non-Debian distributions on the official LKRG homepage.

Add Kicksecure repository.

Install LKRG.

The LKRG installation is complete. ^[9]

It is recommended to review optional hardening and other entries below, but this is not required.

Configuration[edit]

It might be possible to further improve the security provided by LKRG though LKRG configuration, but this can potentially lead to decreased system stability. Note: Unspecific to Kicksecure.

General LKRG Configuration Tips[edit]

Note: All the possible configuration changes in this section are optional.

Table: General LKRG Configuration Tips

Category	Instructions
View Current Runtime Configuration	To view the current configuration, run. sudo sysctl -a | grep lkrg Refer to upstream readme chapter Runtime configuration.
Temporary Runtime Configuration Changes	To temporarily change configuration settings until next reboot, run. Note: Replace lkrg.pcfi_validate=1 with the actual sysctl setting you like to change as per upstream documentation. sudo sysctl -w lkrg.pcfi_validate=1
Persistent Configuration Changes	To enable any (LKRG) sysctl persistently after reboot. Open file /etc/sysctl.d/50_user.conf in an editor with root rights. Kicksecure See Open File with Root Rights for detailed instructions on why to use sudoedit for better security and how to use it. sudoedit /etc/sysctl.d/50_user.conf Kicksecure for Qubes NOTES: When using Kicksecure-Qubes, this needs to be done inside the Template. sudoedit /etc/sysctl.d/50_user.conf After applying this change, shutdown the Template. All App Qubes based on the Template need to be restarted if they were already running. This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes. Others and Alternatives This is just an example. Other tools could achieve the same goal. If this example does not work for you or if you are not using Kicksecure, please refer to this link. sudoedit /etc/sysctl.d/50_user.conf Paste (LKRG) sysctl settings such as. Note: Replace lkrg.pcfi_validate=1 with the actual sysctl setting you like to change as per upstream documentation. lkrg.pcfi_validate=1 Save. The procedure of persistently changing sysctl settings is complete.
VirtualBox host software compatibility	lkrg.pcfi_validate=1 Not required for VirtualBox guest VM. [10]

Kicksecure specific LKRG Configuration Tips[edit]

Table: Kicksecure specific LKRG Configuration Tips

Usage[edit]

Once LKRG has been installed, little effort is required since it will protect the kernel without the user's knowledge and/or interaction. However, it is sensible to check that LKRG is running correctly and to monitor system logs for any suspicious entries. Check this entry at a later date for any additional recommendations.

To check systemd journal log for kernel messages by LKRG, run.

sudo journalctl -b | grep lkrg

To keep watching systemd journal log for new LKRG messages, run.

sudo journalctl -b -f | grep lkrg

At this stage a graphical user interface (GUI) is not provided that can proactively inform users who fail to analyze the systemd journal log for relevant LKRG messages. A GUI or popup notification might be developed later on -- help is most welcome.

Recovery[edit]

Quote upstream readme:

To account for the hopefully unlikely but really unfortunate event that some incompatibility between the Linux kernel or other components of the system and LKRG isn't detected prior to LKRG installation yet leads to system crash on bootup, we've included support for the "nolkrg" kernel parameter in the systemd unit file for LKRG. Thus, if you've followed the above installation procedure for LKRG with systemd, you may disable LKRG by specifying "nolkrg" on the kernel command-line via your bootloader. The system should then boot up without LKRG, and thus without triggering the problem, letting you fix it.

Quote upstream contributor:

[...] I would use a different kernel cmd parameter: `systemd.unit=emergency.target` -- which drops me to the shell before even mounting (as read/write) the root file system, and I can disable whatever service I want. [...]

Secure Boot[edit]

Not compatible because it is a kernel module.

Kicksecure Feature Default Status Information[edit]

Not installed by default.

• Risk of broken VM boot after LKRG major version upgrade.
• Risk of broken VM if using kernel from backports or porting to the next major version of Debian.
• Broken in Qubes?

Debugging[edit]

linux-image[edit]

dpkg -l | grep linux-image

Should include:

ii  linux-image-4.19.0-6-amd64                    4.19.67-2+deb10u2               amd64        Linux 4.19 for 64-bit PCs (signed)
ii  linux-image-amd64

linux-headers[edit]

dpkg -l | grep linux-head

Should include:

ii  linux-headers-4.19.0-6-amd64                  4.19.67-2+deb10u2               amd64        Header files for Linux 4.19.0-6-amd64
ii  linux-headers-4.19.0-6-common                 4.19.67-2+deb10u2               all          Common header files for Linux 4.19.0-6
ii  linux-headers-amd64

modinfo[edit]

sudo modinfo p_lkrg

filename:       /lib/modules/5.10.0-0.bpo.7-amd64/updates/dkms/p_lkrg.ko
license:        GPL v2
description:    pi3's Linux kernel Runtime Guard
author:         Adam 'pi3' Zabrocki (http://pi3.com.pl)
depends:
retpoline:      Y
name:           p_lkrg
vermagic:       5.10.0-0.bpo.7-amd64 SMP mod_unload modversions
parm:           log_level:log_level [3 (warn) is default] (uint)
parm:           heartbeat:heartbeat [0 (don't print) is default] (uint)
parm:           block_modules:block_modules [0 (don't block) is default] (uint)
parm:           interval:interval [15 seconds is default] (uint)
parm:           kint_validate:kint_validate [3 (periodically + random events) is default] (uint)
parm:           kint_enforce:kint_enforce [2 (panic) is default] (uint)
parm:           msr_validate:msr_validate [0 (disabled) is default] (uint)
parm:           pint_validate:pint_validate [1 (current) is default] (uint)
parm:           pint_enforce:pint_enforce [1 (kill task) is default] (uint)
parm:           umh_validate:umh_validate [1 (allow specific paths) is default] (uint)
parm:           umh_enforce:umh_enforce [1 (prevent execution) is default] (uint)
parm:           pcfi_validate:pcfi_validate [2 (fully enabled pCFI) is default] (uint)
parm:           pcfi_enforce:pcfi_enforce [1 (kill task) is default] (uint)
parm:           smep_validate:smep_validate [1 (enabled) is default] (uint)
parm:           smep_enforce:smep_enforce [2 (panic) is default] (uint)
parm:           smap_validate:smap_validate [1 (enabled) is default] (uint)
parm:           smap_enforce:smap_enforce [2 (panic) is default] (uint)

dkms status[edit]

sudo dkms status

Should include:

lkrg, 0.7, 4.19.0-6-amd64, x86_64: installed

Related Files[edit]

• /etc/modprobe.d/lkrg-dkms.conf
• /etc/modules-load.d/lkrg-dkms.conf
• /etc/sysctl.d/30-lkrg-dkms.conf

Additional Resources[edit]

Forum Discussion[edit]

• Linux Kernel Runtime Guard (LKRG) - Linux Kernel Runtime Integrity Checking and Exploit Detection

Upstream Resources[edit]

• LKRG Website
• LKRG Source Code git Repository
• LKRG Presentation Video
• Old LKRG Presentation Slides CONFidence 2018
• Updated LKRG Presentation Slides OSTconf 2020
• LKRG Mailing List
• LKRG Wiki
• https://www.openwall.com/lists/lkrg-users/2020/02/28/1

Upstream Mailing List Discussions[edit]

• LKRG compilation hardening flags, checksec, hardening-check
• LKRG packagers / downstream wishlist (signed git commits, signed git tags, version numbers, logo)
• module loading / systemd bug report / suggestion
• LKRG kills VirtualBox host VMs
• VirtualBox host software compatibility
• announcement of this LKRG Debian package on upstream LKRG mailing list
• LKRG module parameters
• Compiling LKRG static into the Kernel / Loading LKRG kernel module as early as possible or after other modules?

See Also[edit]

• security-misc: Inspired by the Kernel Self Protection Project (KSPP). This package implements most if not all recommended Linux kernel settings (sysctl) and kernel parameters set by the KSPP.
• grub-live: Boot your existing, installed Debian Host into Live Mode.
• Hardened VM Kernel (in development): A hardened kernel configuration optimized for virtual machines, see: development discussion.
• System Hardening Checklist

References[edit]

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!