Hardening OpenWrt

I want to use a blob-free build of OpenWrt with all hardening build/kernel build options enabled on the GL-AR300M.

I checked the OpenWrt Config-kernel.in file and it looks like all the kernel hardening options from the old security page are now enabled by default so long as “SMALL_FLASH” is false… That’s great, but how big exactly does the flash need to be? Does this mean that buying the GL-AR300M router with 16MB of NOR flash vs. 128MB of NAND flash will have real security implications because it’s triggering that flag?

Also, since the GL-AR300M doesn’t need wifi blobs, is the installation blob-free? Or are there other ones in there?

Finally, there’s still some hardening that can be enabled in Config-build.in like stack-smashing protection, PIE, etc. I would like to apply these settings to my router, but that requires a recompile. Would automatic updates be affected? Would I need to recompile every time a new update is released?

1 Like

If you change kernel, you have to compile your own firmware and you need to upgrade manually as well.

I see, thank you. Would the GL-AR300M trigger the “SMALL_FLASH” flag?

And does it require any binary blobs?

I am not sure small_flash flag.

It does not need any binary blobs. You can compile a fully operational firmware from opensource code.

1 Like

Thank you.

I asked at the openwrt forum as well and they confirmed the small_flash flag is set to false on this device, enabling kernel hardening.

No - shouldn’t need this here on AR-300M targets.

Even on the NOR only based AR300M-16, you should be fine - it’s really about choosing which target to work with.

No binary blobs…

If you’re build on 18.06 or 19.07 with ar7xxx/ar9xxx - should be ok - but the future is ath79 for this target on master…