From 761d664925169ed24650cf6ab890a4634f92c939 Mon Sep 17 00:00:00 2001 From: inference Date: Sat, 7 Oct 2023 07:00:20 +0100 Subject: [PATCH] Add section "Introduction" --- documentation/hardened_malloc.html | 150 ++++++------- .../openssl_selfsigned_certificate_chain.html | 202 +++++++++--------- 2 files changed, 178 insertions(+), 174 deletions(-) diff --git a/documentation/hardened_malloc.html b/documentation/hardened_malloc.html index 39f82cf..e6d69d3 100644 --- a/documentation/hardened_malloc.html +++ b/documentation/hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -29,78 +29,80 @@
Changelog
-

Documentation - GrapheneOS hardened_malloc

-

This documentation contains instructions to use - GrapheneOS hardened_malloc - memory allocator as the system's default memory allocator. These instructions apply to both musl - and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used - per-application and/or per-user, in which case root permissions are not required; this - documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and - assumes the compiled library will be located in a path readable by all users of the system.

-

For the complete hardened_malloc documentation, visit its - official documentation.

-

This documentation is also available in portable AsciiDoc format in my - documentation source code repository. - -

-

Table of Contents

- -
-
-

Increase Permitted Amount of Memory Pages

-

Add vm.max_map_count = 1048576 to /etc/sysctl.conf - to accommodate hardened_malloc’s large amount of guard pages.

-
-
-

Clone hardened_malloc Source Code

-

$ git clone https://github.com/GrapheneOS/hardened_malloc.git

-
-
-

Enter hardened_malloc Local Git Repository

-

$ cd hardened_malloc/

-
-
-

Compile hardened_malloc

-

$ make <arguments>

-

CONFIG_N_ARENA=n can be adjusted to increase parallel - performance at the expense of memory usage, or decrease memory usage at the - expense of parallel performance, where n is an integer. Higher values - prefer parallel performance, lower values prefer lower memory usage. The number - of arenas has no impact on the security properties of hardened_malloc. -

-

For extra security, CONFIG_SEAL_METADATA=true can be used in - order to control whether Memory Protection Keys are used to disable access to - all writable allocator state outside of the memory allocator code. It’s - currently disabled by default due to a significant performance cost for this use - case on current generation hardware. Whether or not this feature is enabled, the - metadata is all contained within an isolated memory region with high entropy - random guard regions around it.

-

For low-memory systems, VARIANT=light can be used to compile the - light variant of hardened_malloc, which sacrifices some security for much less - memory usage.

-

For all compile-time options, see the - configuration section - of hardened_malloc’s extensive official documentation.

-
-
-

Copy Compiled hardened_malloc Library

-

# cp out/libhardened_malloc.so <target path>

-
-
-

Set System to Preload hardened_malloc on Boot

-

musl-based systems: Add export LD_PRELOAD="<hardened_malloc path>" - to /etc/environment
- glibc-based systems: Add <hardened_malloc path> to /etc/ld.so.preload

-
+
+

Documentation - GrapheneOS hardened_malloc

+

This documentation contains instructions to use + GrapheneOS hardened_malloc + memory allocator as the system's default memory allocator. These instructions apply to both musl + and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used + per-application and/or per-user, in which case root permissions are not required; this + documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and + assumes the compiled library will be located in a path readable by all users of the system.

+

For the complete hardened_malloc documentation, visit its + official documentation.

+

This documentation is also available in portable AsciiDoc format in my + documentation source code repository. +

+ +
+

Table of Contents

+ +
+
+

Increase Permitted Amount of Memory Pages

+

Add vm.max_map_count = 1048576 to /etc/sysctl.conf + to accommodate hardened_malloc’s large amount of guard pages.

+
+
+

Clone hardened_malloc Source Code

+

$ git clone https://github.com/GrapheneOS/hardened_malloc.git

+
+
+

Enter hardened_malloc Local Git Repository

+

$ cd hardened_malloc/

+
+
+

Compile hardened_malloc

+

$ make <arguments>

+

CONFIG_N_ARENA=n can be adjusted to increase parallel + performance at the expense of memory usage, or decrease memory usage at the + expense of parallel performance, where n is an integer. Higher values + prefer parallel performance, lower values prefer lower memory usage. The number + of arenas has no impact on the security properties of hardened_malloc. +

+

For extra security, CONFIG_SEAL_METADATA=true can be used in + order to control whether Memory Protection Keys are used to disable access to + all writable allocator state outside of the memory allocator code. It’s + currently disabled by default due to a significant performance cost for this use + case on current generation hardware. Whether or not this feature is enabled, the + metadata is all contained within an isolated memory region with high entropy + random guard regions around it.

+

For low-memory systems, VARIANT=light can be used to compile the + light variant of hardened_malloc, which sacrifices some security for much less + memory usage.

+

For all compile-time options, see the + configuration section + of hardened_malloc’s extensive official documentation.

+
+
+

Copy Compiled hardened_malloc Library

+

# cp out/libhardened_malloc.so <target path>

+
+
+

Set System to Preload hardened_malloc on Boot

+

musl-based systems: Add export LD_PRELOAD="<hardened_malloc path>" + to /etc/environment
+ glibc-based systems: Add <hardened_malloc path> to /etc/ld.so.preload

+
diff --git a/documentation/openssl_selfsigned_certificate_chain.html b/documentation/openssl_selfsigned_certificate_chain.html index ae49193..fcca315 100644 --- a/documentation/openssl_selfsigned_certificate_chain.html +++ b/documentation/openssl_selfsigned_certificate_chain.html @@ -5,7 +5,7 @@ - + @@ -29,104 +29,106 @@
Changelog
-

Documentation - OpenSSL Self-signed Certificate Chain

-

This documentation contains the complete set of commands to create a new OpenSSL self-signed - certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included - in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or - unencrypted, with multiple encryption options; AES (aes128 or aes256) - is recommended. Optional verification can also be performed between multiple levels of - certificates to ensure the chain of trust is valid.

-

This documentation is also available in portable AsciiDoc format in my - documentation source code repository. -

-

Table of Contents

- -
-
-

Create Certificate Authority Key

-

openssl genrsa <encryption type> -out <CA key name>.pem <key size>

-
-
-

Verify Certificate Authority Key

-

openssl rsa -noout -text -in <CA key name>.pem

-
-
-

Create Certificate Authority Certificate

-

openssl req -new -x509 -days <days of validity> -extensions v3_ca -key <CA key name>.pem -out <CA certificate name>.pem

-
-
-

Convert Certificate to PEM Format

-

openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM

-
-
-

Verify Certificate Authority Certificate

-

openssl x509 -noout -text -in <CA certificate name>.pem

-
-
-

Create Intermediate Certificate Authority Key

-

openssl genrsa <encryption type> -out <intermediate CA key name>.pem <key size> -

-
-

Verify Intermediate Certificate Authority Key

-

openssl rsa -noout -text -in <intermediate CA key name>.pem

-
-
-

Create Intermediate Certificate Authority Signing Request

-

openssl req -new -sha256 -key <intermediate CA key name>.pem -out <intermediate CA certificate signing request name>.pem

-
-
-

Create Intermediate Certificate Authority Certificate

-

openssl ca -config <intermediate CA configuration file> -extensions v3_intermediate_ca -days <days of validity> -notext -md sha256 -in <intermediate CA signing request name>.pem -out <intermediate CA certificate name>.pem

-
-
-

Verify Intermediate Certificate Authority Certificate

-

openssl x509 -noout -text -in <intermediate CA certificate name>.pem

-
-
-

Verify Chain of Trust (CA to Intermediate)

-

openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem

-
-
-

Create Server Key

-

openssl genrsa <encryption type> -out <server key name>.pem <key size>

-
-
-

Verify Server Key

-

openssl rsa -noout -text -in <server key name>.pem

-
-
-

Create Server Certificate Signing Request

-

openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem

-
-
-

Create Server Certificate

-

openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem

-
-
-

Verify Server Certificate

-

openssl x509 -noout -text -in <server certificate name>.pem

-
-
-

Verify Chain of Trust (Intermediate to Server)

-

openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem

-
+
+

Documentation - OpenSSL Self-signed Certificate Chain

+

This documentation contains the complete set of commands to create a new OpenSSL self-signed + certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included + in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or + unencrypted, with multiple encryption options; AES (aes128 or aes256) + is recommended. Optional verification can also be performed between multiple levels of + certificates to ensure the chain of trust is valid.

+

This documentation is also available in portable AsciiDoc format in my + documentation source code repository. +

+
+

Table of Contents

+ +
+
+

Create Certificate Authority Key

+

openssl genrsa <encryption type> -out <CA key name>.pem <key size>

+
+
+

Verify Certificate Authority Key

+

openssl rsa -noout -text -in <CA key name>.pem

+
+
+

Create Certificate Authority Certificate

+

openssl req -new -x509 -days <days of validity> -extensions v3_ca -key <CA key name>.pem -out <CA certificate name>.pem

+
+
+

Convert Certificate to PEM Format

+

openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM

+
+
+

Verify Certificate Authority Certificate

+

openssl x509 -noout -text -in <CA certificate name>.pem

+
+
+

Create Intermediate Certificate Authority Key

+

openssl genrsa <encryption type> -out <intermediate CA key name>.pem <key size> +

+
+

Verify Intermediate Certificate Authority Key

+

openssl rsa -noout -text -in <intermediate CA key name>.pem

+
+
+

Create Intermediate Certificate Authority Signing Request

+

openssl req -new -sha256 -key <intermediate CA key name>.pem -out <intermediate CA certificate signing request name>.pem

+
+
+

Create Intermediate Certificate Authority Certificate

+

openssl ca -config <intermediate CA configuration file> -extensions v3_intermediate_ca -days <days of validity> -notext -md sha256 -in <intermediate CA signing request name>.pem -out <intermediate CA certificate name>.pem

+
+
+

Verify Intermediate Certificate Authority Certificate

+

openssl x509 -noout -text -in <intermediate CA certificate name>.pem

+
+
+

Verify Chain of Trust (CA to Intermediate)

+

openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem

+
+
+

Create Server Key

+

openssl genrsa <encryption type> -out <server key name>.pem <key size>

+
+
+

Verify Server Key

+

openssl rsa -noout -text -in <server key name>.pem

+
+
+

Create Server Certificate Signing Request

+

openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem

+
+
+

Create Server Certificate

+

openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem

+
+
+

Verify Server Certificate

+

openssl x509 -noout -text -in <server certificate name>.pem

+
+
+

Verify Chain of Trust (Intermediate to Server)

+

openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem

+