This project contains tools, scripts, and best-known-configuration (BKC) for Linux guest kernel hardening in the context of Confidential Cloud Computing threat model. For motivation and solution overview, refer to Guest Hardening Strategy.

All components and scripts are provided for research and validation purposes only.

In the bkc directory, you will find:

• audit: threat surface enumeration using static analysis
• kafl: configs and tools for Linux fuzzing with kAFL
• syzkaller: configs and tools for generating guest activity with Syzkaller
• coverage: tools for matching coverage and trace data against audit list

• Intel Skylake or later: The setup requires a Gen-6 or newer Intel CPU (for Intel PT) and adequate memory (~2GB RAM per CPU, 5-20GB storage per campaign)

• Patched Host Kernel: A modified Linux host kernel is used for TDX emulation and VM-based snapshot fuzzing. This setup does not run inside a VM or container!

• Recent Debian/Ubuntu: The userspace installation and fuzzing workflow has been tested for recent Ubuntu (>=20.04) and Debian (>=bullseye).

• Know your Kernel: Working knowledge of Linux console, kernel build and boot, and an idea of the kernel version and feature you want to test.

sudo apt-get install python3 python3-venv

git clone https://github.com/intel/ccc-linux-guest-hardening ~/cocofuzz
cd ~/cocofuzz
make deploy

Note: The installation uses Ansible. The main system modification is to install a patched host kernel (.deb package) and fixing the grub config to make it boot. Ansible will also add the current user to group kvm and pull in a few build dependencies and tools via apt. The rest of the stack consists of userspace tools and scripts which are only available in a local Python virtual environment.

uname -a
# Linux tdx-fuzz0 5.6.0-rc1-tdfl+ #15 SMP Wed May 25 02:23:44 CEST 2022 x86_64 x86_64 x86_64 GNU/Linux

dmesg|grep KVM-PT
# [KVM-PT] Info:  CPU is supported!
# [KVM-PT] Info:  LVT PMI handler registrated!

Note: When launching the kAFL/SDV emulation kernel, you might encounter an initramfs unpacking failure because the current kernel lacks support for the zstd compression algorithm.

To fix this, follow the steps below:

1. Edit /etc/initramfs-tools/initramfs.conf to change the compression algorithm from zstd to, e.g., lz4
2. Rebuild the initramfs: sudo update-initramfs -c -k all
3. Select the kAFL/SDV emulation kernel after a reboot

The zstd support will be provided in the future kAFL/SDV emulation kernel.

When the installation is complete, you will find several tools and scripts (e.g., fuzz.sh) inside the installation directory of the target system.

All subsequent steps assume that you have activated the installation environment using make env:

make env
fuzz.sh
exit

The environment defines various default paths used by multiple layers of scripts. Go take a look. Note that the script also sets MAKEFLAGS="-j$(nproc)" as a global default for parallel builds:

make env
cat env.sh
echo $MAKEFLAGS
echo $KAFL_WORKSPACE

Now that the necessary components are installed, you can pursue by one the following:

1. Review the campaign workflow and the automation tools
2. Generate smatch audit list
3. Launch a Pre-Defined Harness
4. Explore how to define new harnesses
5. Targeting your own guest kernel [TBD]