Hardening OpenWrt

gurk · July 31, 2020, 6:28pm

I want to use a blob-free build of OpenWrt with all hardening build/kernel build options enabled on the GL-AR300M.

I checked the OpenWrt Config-kernel.in file and it looks like all the kernel hardening options from the old security page are now enabled by default so long as “SMALL_FLASH” is false… That’s great, but how big exactly does the flash need to be? Does this mean that buying the GL-AR300M router with 16MB of NOR flash vs. 128MB of NAND flash will have real security implications because it’s triggering that flag?

Also, since the GL-AR300M doesn’t need wifi blobs, is the installation blob-free? Or are there other ones in there?

Finally, there’s still some hardening that can be enabled in Config-build.in like stack-smashing protection, PIE, etc. I would like to apply these settings to my router, but that requires a recompile. Would automatic updates be affected? Would I need to recompile every time a new update is released?

alzhao · August 4, 2020, 9:13am

If you change kernel, you have to compile your own firmware and you need to upgrade manually as well.

gurk · August 4, 2020, 1:59pm

I see, thank you. Would the GL-AR300M trigger the “SMALL_FLASH” flag?

And does it require any binary blobs?

alzhao · August 5, 2020, 4:24am

I am not sure small_flash flag.

It does not need any binary blobs. You can compile a fully operational firmware from opensource code.

gurk · August 5, 2020, 2:04pm

Thank you.

I asked at the openwrt forum as well and they confirmed the small_flash flag is set to false on this device, enabling kernel hardening.

sfx2000 · August 10, 2020, 12:01am

No - shouldn’t need this here on AR-300M targets.

Even on the NOR only based AR300M-16, you should be fine - it’s really about choosing which target to work with.

No binary blobs…

If you’re build on 18.06 or 19.07 with ar7xxx/ar9xxx - should be ok - but the future is ath79 for this target on master…