PROJECT NOT UNDER ACTIVE MANAGEMENT
This project will no longer be maintained by Intel.
Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project.
Intel no longer accepts patches to this project.
If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project.
Contact: webadmin@linux.intel.com
This project contains tools, scripts, and best-known-configuration (BKC) for Linux guest kernel hardening in the context of Confidential Cloud Computing threat model. For motivation and solution overview, refer to Guest Hardening Strategy.
All components and scripts are provided for research and validation purposes only.
In the bkc
directory, you will find:
audit
: threat surface enumeration using static analysiskafl
: configs and tools for Linux fuzzing with kAFLsyzkaller
: configs and tools for generating guest activity with Syzkallercoverage
: tools for matching coverage and trace data against audit list
-
Intel Skylake or later: The setup requires a Gen-6 or newer Intel CPU (for Intel PT) and adequate memory (~2GB RAM per CPU, 5-20GB storage per campaign)
-
Patched Host Kernel: A modified Linux host kernel is used for TDX emulation and VM-based snapshot fuzzing. This setup does not run inside a VM or container!
-
Recent Debian/Ubuntu: The userspace installation and fuzzing workflow has been tested for recent Ubuntu (>=20.04) and Debian (>=bullseye).
-
Know your Kernel: Working knowledge of Linux console, kernel build and boot, and an idea of the kernel version and feature you want to test.
sudo apt-get install python3 python3-venv
git clone https://github.com/intel/ccc-linux-guest-hardening ~/cocofuzz
cd ~/cocofuzz
make deploy
Note: The installation uses Ansible.
The main system modification is to install a patched host kernel (.deb
package)
and fixing the grub
config to make it boot. Ansible will also add the current
user to group kvm
and pull in a few build dependencies and tools via apt
.
The rest of the stack consists of userspace tools and scripts which are only
available in a local Python virtual environment.
uname -a
# Linux tdx-fuzz0 6.1.0-sdv+ #15 SMP Wed May 25 02:23:44 CEST 2022 x86_64 x86_64 x86_64 GNU/Linux
dmesg|grep KVM-NYX
# [KVM-NYX] Info: CPU is supported!
# [KVM-NYX] Info: LVT PMI handler registrated!
Note: When launching the kAFL/SDV emulation kernel, you might encounter an
initramfs unpacking failure
because the current kernel lacks support for the zstd
compression algorithm.
To fix this, follow the steps below:
- Edit
/etc/initramfs-tools/initramfs.conf
to change the compression algorithm fromzstd
to, e.g.,lz4
- Rebuild the initramfs:
sudo update-initramfs -c -k all
- Select the kAFL/SDV emulation kernel after a reboot
The zstd
support will be provided in the future kAFL/SDV emulation kernel.
When the installation is complete, you will find several tools and scripts
(e.g., fuzz.sh
) inside the installation directory of the target system.
All subsequent steps assume that you have activated the installation environment
using make env
:
make env
fuzz.sh
exit
The environment defines various default paths used by multiple layers of
scripts. Go take a look. Note that the script also sets MAKEFLAGS="-j$(nproc)"
as a global default for parallel builds:
make env
cat env.sh
echo $MAKEFLAGS
echo $KAFL_WORKSPACE
Now that the necessary components are installed, you can pursue by one the following: