From bf51bf9773d019e667c3937bf82031aba3ba006d Mon Sep 17 00:00:00 2001 From: Jenni Nikolaenko Date: Tue, 19 Dec 2023 16:21:45 +0200 Subject: [PATCH] Docs: proofread Hardenining, update RN ghaf-23.09 Signed-off-by: Jenni Nikolaenko --- docs/src/architecture/hardening.md | 41 ++++++++++++++++------------ docs/src/release_notes/ghaf-23.09.md | 13 ++++++--- docs/src/scenarios/run_win_vm.md | 2 +- 3 files changed, 34 insertions(+), 22 deletions(-) diff --git a/docs/src/architecture/hardening.md b/docs/src/architecture/hardening.md index 935d95ecb..6625c3298 100644 --- a/docs/src/architecture/hardening.md +++ b/docs/src/architecture/hardening.md @@ -5,21 +5,23 @@ # Hardening -This section describes how securing Ghaf by reducing its' attack surface, in short - hardening, is done. +This section describes how securing Ghaf by reducing its attack surface—hardening—is done. + ## Kernel -Ghaf has two types of kernels - host and guest kernels. Hardening of these kernels varies in terms of hardware support and functionality required by the guest kernel in question. Within this context, kernel always refers to Linux operating system kernel. +Ghaf has two types of kernels: host and guest. Hardening of these kernels varies in terms of hardware support and functionality required by the guest kernel in question. Within this context, the kernel always refers to the Linux operating system kernel. + + +### Kernel Hardening Process -### Process of Kernel Hardening +NixOS provides several mechanisms to customize the kernel. The main methods are: -NixOS provides several mechanisms to customize kernel. The main methods are: +* [Declaring kernel command line parameters](https://nixos.wiki/wiki/Linux_kernel#Custom_kernel_commandline): [usage in Ghaf](https://github.com/search?q=repo%3Atiiuae%2Fghaf%20kernelparams&type=code). +* [Declaring kernel custom configuration](https://nixos.org/manual/nixos/stable/#sec-linux-config-customizing): [usage in Ghaf](https://github.com/tiiuae/ghaf/blob/main/modules/host/kernel.nix). + + Example of entering the kernel development shell to customize the `.config` and build it: -* [declaring kernel command line parameters](https://nixos.wiki/wiki/Linux_kernel#Custom_kernel_commandline) - * [Usage in Ghaf](https://github.com/search?q=repo%3Atiiuae%2Fghaf%20kernelparams&type=code) -* [declaring kernel custom configuration](https://nixos.org/manual/nixos/stable/#sec-linux-config-customizing) - * [Usage in Ghaf](https://github.com/tiiuae/ghaf/blob/main/modules/host/kernel.nix) - * Example of entering the kernel development shell to customize the `.config` and build it: ``` ~/ghaf $ nix develop .#devShells.x86_64-linux.kernel-x86 ... @@ -30,11 +32,15 @@ NixOS provides several mechanisms to customize kernel. The main methods are: ... Kernel: arch/x86/boot/bzImage ``` -* Boot the built kernel with QEMU + +* Booting the built kernel with QEMU: + ``` [ghaf-kernel-devshell:~/ghaf/linux-6.6.2]$ qemu-system-x86_64 -kernel arch/x86/boot/bzImage ``` -* [validating with kernel hardening checker](https://github.com/a13xp0p0v/kernel-hardening-checker) + +* [Validating with kernel hardening checker](https://github.com/a13xp0p0v/kernel-hardening-checker): + ``` [ghaf-kernel-devshell:~/ghaf/linux-6.6.2]$ kernel-hardening-checker -c ../modules/host/ghaf_host_hardened_baseline [+] Kconfig file to check: ../modules/host/ghaf_host_hardened_baseline @@ -45,13 +51,14 @@ NixOS provides several mechanisms to customize kernel. The main methods are: [+] Config check is finished: 'OK' - 103 / 'FAIL' - 84 ``` -### Host kernel -The host kernel runs on bare metal. The kernel is provided either via Linux upstream (`x86_64`) or via vendor board support package (BSP). The default Ghaf host kernel on `x86_64` is maintained by Ghaf upstream package sources - `nixpkgs` or nix-packaged hardware-specific BSP (e.g. NVIDIA Jetson-family of devices). +### Host Kernel + +The host kernel runs on bare metal. The kernel is provided either with Linux upstream (`x86_64`) or with vendor BSP. The default Ghaf host kernel on `x86_64` is maintained by Ghaf upstream package sources `nixpkgs` or Nix-packaged hardware-specific BSP (for example, NVIDIA Jetson-family of devices). + #### `x86-64-linux` -The host kernel hardening is based on Linux `make tinyconfig`. The default `tinyconfig` fails to assertions on NixOS without -modifications. Assertions are fixed in `ghaf_host_hardened_baseline` linux config under Ghaf `modules/host/`. -In addition, NixOS (Ghaf baseline dependency) requires several kernel modules that are added to the config or ignored with `allowMissing = true`; -As of now, the kernel builds and early boots on Lenovo X1. +The host kernel hardening is based on Linux `make tinyconfig`. The default `tinyconfig` fails to assertions on NixOS without modifications. Assertions are fixed in `ghaf_host_hardened_baseline` Linux configuration under Ghaf `modules/host/`. + +In addition, NixOS (Ghaf baseline dependency) requires several kernel modules that are added to the config or ignored with `allowMissing = true`. As of now, the kernel builds and early boots on Lenovo X1. diff --git a/docs/src/release_notes/ghaf-23.09.md b/docs/src/release_notes/ghaf-23.09.md index daffe3b3e..44592e475 100644 --- a/docs/src/release_notes/ghaf-23.09.md +++ b/docs/src/release_notes/ghaf-23.09.md @@ -71,8 +71,13 @@ There are no specific requirements for the environment with this release. ## Installation Instructions -Released images are available at Jfrog Artifactory. To download the release image: +Released images are available at [vedenemo.dev/files/releases/ghaf_23.09/](https://vedenemo.dev/files/releases/ghaf_23.09/). -* In the [Jfrog Artifactory](https://artifactory.ssrcdevops.tii.ae/ui/login/) login screen, use the *Sign in with SAML SSO* option and then *Sign in with Github.com account*. Note that domain restrictions are in place. -* Navigate to the ghaf-23.09 directory: -* Download the image from the `../targetHW/image` directory. \ No newline at end of file +Download the required image and use the following instructions: + +| Release Image | Build and Run | +|-------------------------|--------------------| +| ghaf-23.09_Generic_x86.tar.xz | [Running Ghaf Image for x86 Computer](../ref_impl/build_and_run.md#running-ghaf-image-for-x86-computer) | +| ghaf-23.09_Lenovo_X1_Gen11.tar.xz | [Running Ghaf Image for Lenovo X1](../ref_impl/build_and_run.md#running-ghaf-image-for-lenovo-x1) | +| ghaf-23.09_Nvidia_Orin_AGX.tar.xz, ghaf-23.09_Nvidia_Orin_NX.tar.xz | [Ghaf Image for NVIDIA Jetson Orin AGX](../ref_impl/build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | +| ghaf-23.09_PolarFire_RISC-V.tar.xz | [Building Ghaf Image for Microchip Icicle Kit](../ref_impl/build_and_run.md#building-ghaf-image-for-microchip-icicle-kit) | \ No newline at end of file diff --git a/docs/src/scenarios/run_win_vm.md b/docs/src/scenarios/run_win_vm.md index f69db74a6..191c6365d 100644 --- a/docs/src/scenarios/run_win_vm.md +++ b/docs/src/scenarios/run_win_vm.md @@ -48,7 +48,7 @@ On x86_64 device Windows 11 VM can be launched with either an ISO image or QCOW2 * For an ISO image, the script creates an empty QCOW2 image in the same directory which is used as a system disk in the VM. * After installing Windows 11, run the script for the QCOW2 image. -Do the folowing: +Do the following: 1. In the Weston terminal, go to the directory with the Windows 11 image and run the VM without sudo and as a non-root user using the following Ghaf script: