+ Inferencium+
+
+ + + + + + + +
This documentation contains instructions to use + GrapheneOS hardened_malloc + memory allocator as the system's default memory allocator. These instructions apply to + both musl and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can + also be used per-application and/or per-user, in which case root permissions are not + required; this documentation focuses on system-wide usage of hardened_malloc, assumes + root privileges, and assumes the compiled library will be located in a path readable by + all users of the system.
+For the complete hardened_malloc documentation, visit its + official documentation.
+This documentation is also available in portable AsciiDoc format in my + documentation source code repository. +
Add vm.max_map_count = 1048576 to
+ /etc/sysctl.conf to accommodate hardened_malloc's large
+ amount of guard pages.
$ git clone https://github.com/GrapheneOS/hardened_malloc.git
$ cd hardened_malloc/
$ make <arguments>
CONFIG_N_ARENA=n can be adjusted to increase
+ parallel performance at the expense of memory usage, or decrease memory
+ usage at the expense of parallel performance, where n is an
+ integer. Higher values prefer parallel performance, lower values prefer
+ lower memory usage. The number of arenas has no impact on the security
+ properties of hardened_malloc.
+
For extra security, CONFIG_SEAL_METADATA=true can be
+ used in order to control whether Memory Protection Keys are used to
+ disable access to all writable allocator state outside of the memory
+ allocator code. It's currently disabled by default due to a significant
+ performance cost for this use case on current generation hardware.
+ Whether or not this feature is enabled, the metadata is all contained
+ within an isolated memory region with high entropy random guard regions
+ around it.
For low-memory systems, VARIANT=light can be used to
+ compile the light variant of hardened_malloc, which sacrifices some
+ security for much less memory usage.
For all compile-time options, see the + configuration section + of hardened_malloc's extensive official documentation.
+# cp out/libhardened_malloc.so <target path>
+
export LD_PRELOAD="<hardened_malloc path>"
+ to /etc/environment<hardened_malloc path> to
+ /etc/ld.so.preloadThis documentation contains the complete set of commands to create a new OpenSSL
+ self-signed certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple
+ SANs can be included in a certificate by adding each domain as a comma-delimited string.
+ Each key can be encrypted or unencrypted, with multiple encryption options; AES
+ (aes128 or aes256) is recommended. Optional verification can
+ also be performed between multiple levels of certificates to ensure the chain of trust
+ is valid.
This documentation is also available in portable AsciiDoc format in my + documentation source code repository. +
openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM
openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem
openssl genrsa <encryption type> -out <server key name>.pem <key size>
openssl rsa -noout -text -in <server key name>.pem
openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem
openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem
openssl x509 -noout -text -in <server certificate name>.pem
openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem