From fe6c97d4c4474171389b96eca78c6cf2f5e0e897 Mon Sep 17 00:00:00 2001 From: inference Date: Tue, 3 Oct 2023 08:30:19 +0100 Subject: [PATCH 01/15] Add GrapheneOS hardened_malloc documentation --- documentation/grapheneos-hardened_malloc.html | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 documentation/grapheneos-hardened_malloc.html diff --git a/documentation/grapheneos-hardened_malloc.html b/documentation/grapheneos-hardened_malloc.html new file mode 100644 index 0000000..a772cf5 --- /dev/null +++ b/documentation/grapheneos-hardened_malloc.html @@ -0,0 +1,103 @@ + + + + + + + + + + + + + Inferencium - Documentation - GrapheneOS hardened_malloc + + + + +
+ + Inferencium
+
+
+
About
+
Contact
+
Blog
+
Documentation
+
Source
+
Key
+
Changelog
+
+ +

Documentation - GrapheneOS hardened_malloc

+

This documentation contains instructions to use + GrapheneOS hardened_malloc + memory allocator as the system’s default memory allocator. These instructions apply to both musl + and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used + per-application and/or per-user, in which case root permissions are not required; this + documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and + assumes the compiled library will be located in a path readable by all users of the system.

+

For the complete hardened_malloc documentation, visit its + official documentation.

+ +
+

Table of Contents

+ +
+

Increase Permitted Amount of Memory Pages

+

Add vm.max_map_count = 1048576 to /etc/sysctl.conf + to accommodate hardened_malloc’s large amount of guard pages.

+
+
+

Clone hardened_malloc Source Code

+

$ git clone https://github.com/GrapheneOS/hardened_malloc.git

+
+
+

Enter hardened_malloc Local Git Repository

+

$ cd hardened_malloc/

+
+
+

Compile hardened_malloc

+

$ make <arguments>

+

CONFIG_N_ARENA=n can be adjusted to increase parallel + performance at the expense of memory usage, or decrease memory usage at the + expense of parallel performance, where n is an integer. Higher values + prefer parallel performance, lower values prefer lower memory usage. The number + of arenas has no impact on the security properties of hardened_malloc. +

    +
  • Minimum number of arenas: 1
    • +
  • Maximum number of arenas: 256
    • +
+

For extra security, CONFIG_SEAL_METADATA=true can be used in + order to control whether Memory Protection Keys are used to disable access to + all writable allocator state outside of the memory allocator code. It’s + currently disabled by default due to a significant performance cost for this use + case on current generation hardware. Whether or not this feature is enabled, the + metadata is all contained within an isolated memory region with high entropy + random guard regions around it.

+

For low-memory systems, VARIANT=light can be used to compile the + light variant of hardened_malloc, which sacrifices some security for much less + memory usage.

+

For all compile-time options, see the + configuration section + of hardened_malloc’s extensive official documentation.

+
+
+

Copy Compiled hardened_malloc Library

+

# cp out/libhardened_malloc.so <target path>

+
+
+

Set System to Preload hardened_malloc on Boot

+

musl-based systems: Add export LD_PRELOAD="<hardened_malloc path>" + to /etc/environment
+ glibc-based systems: Add <hardened_malloc path> to /etc/ld.so.preload

+
+ + From 728e02d1f62b7e449fa9efcc80662e8ac1bffde9 Mon Sep 17 00:00:00 2001 From: inference Date: Fri, 6 Oct 2023 08:56:16 +0100 Subject: [PATCH 02/15] Add documentation "OpenSSL Self-signed Certificate Chain" --- .../openssl_selfsigned_certificate_chain.html | 131 ++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 documentation/openssl_selfsigned_certificate_chain.html diff --git a/documentation/openssl_selfsigned_certificate_chain.html b/documentation/openssl_selfsigned_certificate_chain.html new file mode 100644 index 0000000..ae2c62a --- /dev/null +++ b/documentation/openssl_selfsigned_certificate_chain.html @@ -0,0 +1,131 @@ + + + + + + + + + + + + + Inferencium - Documentation - OpenSSL Self-signed Certificate Chain + + + + +
+ + Inferencium
+
+
+
About
+
Contact
+
Blog
+
Documentation
+
Source
+
Key
+
Changelog
+
+ +

Documentation - OpenSSL Self-signed Certificate Chain

+

This documentation contains the complete set of commands to create a new OpenSSL self-signed + certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included + in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or + unencrypted, with multiple encryption options; AES (aes128 or aes256) + is recommended. Optional verification can also be performed between multiple levels of + certificates to ensure the chain of trust is valid.

+

This documentation is also available in portable AsciiDoc format in my + documentation source code repository. +

+

Table of Contents

+ +
+

Create Certificate Authority Key

+

openssl genrsa <encryption type> -out <CA key name>.pem <key size>

+
+
+

Verify Certificate Authority Key

+

openssl rsa -noout -text -in <CA key name>.pem

+
+
+

Create Certificate Authority Certificate

+

openssl req -new -x509 -days <days of validity> -extensions v3_ca -key <CA key name>.pem -out <CA certificate name>.pem

+
+
+

Convert Certificate to PEM Format

+

openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM

+
+
+

Verify Certificate Authority Certificate

+

openssl x509 -noout -text -in <CA certificate name>.pem

+
+
+

Create Intermediate Certificate Authority Key

+

openssl genrsa <encryption type> -out <intermediate CA key name>.pem <key size> +

+
+

Verify Intermediate Certificate Authority Key

+

openssl rsa -noout -text -in <intermediate CA key name>.pem

+
+
+

Create Intermediate Certificate Authority Signing Request

+

openssl req -new -sha256 -key <intermediate CA key name>.pem -out <intermediate CA certificate signing request name>.pem

+
+
+

Create Intermediate Certificate Authority Certificate

+

openssl ca -config <intermediate CA configuration file> -extensions v3_intermediate_ca -days <days of validity> -notext -md sha256 -in <intermediate CA signing request name>.pem -out <intermediate CA certificate name>.pem

+
+
+

Verify Intermediate Certificate Authority Certificate

+

openssl x509 -noout -text -in <intermediate CA certificate name>.pem

+
+
+

Verify Chain of Trust (CA to Intermediate)

+

openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem

+
+
+

Create Server Key

+

openssl genrsa <encryption type> -out <server key name>.pem <key size>

+
+
+

Verify Server Key

+

openssl rsa -noout -text -in <server key name>.pem

+
+
+

Create Server Certificate Signing Request

+

openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem

+
+
+

Create Server Certificate

+

openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem

+
+
+

Verify Server Certificate

+

openssl x509 -noout -text -in <server certificate name>.pem

+
+
+

Verify Chain of Trust (Intermediate to Server)

+

openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem

+
+ + From 5a38ee68b440fe23765d872d9d3bcde2145945b7 Mon Sep 17 00:00:00 2001 From: inference Date: Sat, 7 Oct 2023 02:12:39 +0100 Subject: [PATCH 03/15] Add AsciiDoc documentation link --- documentation/grapheneos-hardened_malloc.html | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/grapheneos-hardened_malloc.html b/documentation/grapheneos-hardened_malloc.html index a772cf5..d2ff5da 100644 --- a/documentation/grapheneos-hardened_malloc.html +++ b/documentation/grapheneos-hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -39,6 +39,8 @@ assumes the compiled library will be located in a path readable by all users of the system.

For the complete hardened_malloc documentation, visit its official documentation.

+

This documentation is also available in portable AsciiDoc format in my + documentation source code repository.

Table of Contents

From b79baa7e382ed91cb0a4cdcae0056217e73214c7 Mon Sep 17 00:00:00 2001 From: inference Date: Sat, 7 Oct 2023 02:13:25 +0100 Subject: [PATCH 04/15] Rename hardened_malloc documentation file to match AsciiDoc file. --- .../{grapheneos-hardened_malloc.html => hardened_malloc.html} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename documentation/{grapheneos-hardened_malloc.html => hardened_malloc.html} (100%) diff --git a/documentation/grapheneos-hardened_malloc.html b/documentation/hardened_malloc.html similarity index 100% rename from documentation/grapheneos-hardened_malloc.html rename to documentation/hardened_malloc.html From 2cd8377d6205aeb746c9d8d570def80d0af0fee7 Mon Sep 17 00:00:00 2001 From: inference Date: Sat, 7 Oct 2023 06:13:26 +0100 Subject: [PATCH 05/15] Fix broken apostrophe --- documentation/hardened_malloc.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/hardened_malloc.html b/documentation/hardened_malloc.html index d2ff5da..a1bc0e7 100644 --- a/documentation/hardened_malloc.html +++ b/documentation/hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -32,7 +32,7 @@

Documentation - GrapheneOS hardened_malloc

This documentation contains instructions to use GrapheneOS hardened_malloc - memory allocator as the system’s default memory allocator. These instructions apply to both musl + memory allocator as the system's default memory allocator. These instructions apply to both musl and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used per-application and/or per-user, in which case root permissions are not required; this documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and From 22d4e3b3c615f99d2150048dbb599474490fc22e Mon Sep 17 00:00:00 2001 From: inference Date: Sat, 7 Oct 2023 06:16:09 +0100 Subject: [PATCH 06/15] Add missing section closing tag --- documentation/hardened_malloc.html | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/documentation/hardened_malloc.html b/documentation/hardened_malloc.html index a1bc0e7..39f82cf 100644 --- a/documentation/hardened_malloc.html +++ b/documentation/hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -52,6 +52,7 @@

  • Copy Compiled hardened_malloc Library
  • Set System to Preload hardened_malloc on Boot
    • +

    Increase Permitted Amount of Memory Pages

    Add vm.max_map_count = 1048576 to /etc/sysctl.conf From 9645c161a48057202a20b1d3ea6ebbe0a01fe9b7 Mon Sep 17 00:00:00 2001 From: inference Date: Sat, 7 Oct 2023 06:17:26 +0100 Subject: [PATCH 07/15] Add missing section closing tag --- documentation/openssl_selfsigned_certificate_chain.html | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/documentation/openssl_selfsigned_certificate_chain.html b/documentation/openssl_selfsigned_certificate_chain.html index ae2c62a..ae49193 100644 --- a/documentation/openssl_selfsigned_certificate_chain.html +++ b/documentation/openssl_selfsigned_certificate_chain.html @@ -5,7 +5,7 @@ - + @@ -59,6 +59,7 @@

  • Verify Server Certificate
  • Verify Chain of Trust (Intermediate to Server)
    • +

    Create Certificate Authority Key

    openssl genrsa <encryption type> -out <CA key name>.pem <key size>

    From 761d664925169ed24650cf6ab890a4634f92c939 Mon Sep 17 00:00:00 2001 From: inference Date: Sat, 7 Oct 2023 07:00:20 +0100 Subject: [PATCH 08/15] Add section "Introduction" --- documentation/hardened_malloc.html | 150 ++++++------- .../openssl_selfsigned_certificate_chain.html | 202 +++++++++--------- 2 files changed, 178 insertions(+), 174 deletions(-) diff --git a/documentation/hardened_malloc.html b/documentation/hardened_malloc.html index 39f82cf..e6d69d3 100644 --- a/documentation/hardened_malloc.html +++ b/documentation/hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -29,78 +29,80 @@ -

    Documentation - GrapheneOS hardened_malloc

    -

    This documentation contains instructions to use - GrapheneOS hardened_malloc - memory allocator as the system's default memory allocator. These instructions apply to both musl - and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used - per-application and/or per-user, in which case root permissions are not required; this - documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and - assumes the compiled library will be located in a path readable by all users of the system.

    -

    For the complete hardened_malloc documentation, visit its - official documentation.

    -

    This documentation is also available in portable AsciiDoc format in my - documentation source code repository. - -

    -

    Table of Contents

    - -
    -
    -

    Increase Permitted Amount of Memory Pages

    -

    Add vm.max_map_count = 1048576 to /etc/sysctl.conf - to accommodate hardened_malloc’s large amount of guard pages.

    -
    -
    -

    Clone hardened_malloc Source Code

    -

    $ git clone https://github.com/GrapheneOS/hardened_malloc.git

    -
    -
    -

    Enter hardened_malloc Local Git Repository

    -

    $ cd hardened_malloc/

    -
    -
    -

    Compile hardened_malloc

    -

    $ make <arguments>

    -

    CONFIG_N_ARENA=n can be adjusted to increase parallel - performance at the expense of memory usage, or decrease memory usage at the - expense of parallel performance, where n is an integer. Higher values - prefer parallel performance, lower values prefer lower memory usage. The number - of arenas has no impact on the security properties of hardened_malloc. -

      -
    • Minimum number of arenas: 1
      • -
    • Maximum number of arenas: 256
      • -
    -

    For extra security, CONFIG_SEAL_METADATA=true can be used in - order to control whether Memory Protection Keys are used to disable access to - all writable allocator state outside of the memory allocator code. It’s - currently disabled by default due to a significant performance cost for this use - case on current generation hardware. Whether or not this feature is enabled, the - metadata is all contained within an isolated memory region with high entropy - random guard regions around it.

    -

    For low-memory systems, VARIANT=light can be used to compile the - light variant of hardened_malloc, which sacrifices some security for much less - memory usage.

    -

    For all compile-time options, see the - configuration section - of hardened_malloc’s extensive official documentation.

    -
    -
    -

    Copy Compiled hardened_malloc Library

    -

    # cp out/libhardened_malloc.so <target path>

    -
    -
    -

    Set System to Preload hardened_malloc on Boot

    -

    musl-based systems: Add export LD_PRELOAD="<hardened_malloc path>" - to /etc/environment
    - glibc-based systems: Add <hardened_malloc path> to /etc/ld.so.preload

    -
    +
    +

    Documentation - GrapheneOS hardened_malloc

    +

    This documentation contains instructions to use + GrapheneOS hardened_malloc + memory allocator as the system's default memory allocator. These instructions apply to both musl + and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used + per-application and/or per-user, in which case root permissions are not required; this + documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and + assumes the compiled library will be located in a path readable by all users of the system.

    +

    For the complete hardened_malloc documentation, visit its + official documentation.

    +

    This documentation is also available in portable AsciiDoc format in my + documentation source code repository. +

    + +
    +

    Table of Contents

    + +
    +
    +

    Increase Permitted Amount of Memory Pages

    +

    Add vm.max_map_count = 1048576 to /etc/sysctl.conf + to accommodate hardened_malloc’s large amount of guard pages.

    +
    +
    +

    Clone hardened_malloc Source Code

    +

    $ git clone https://github.com/GrapheneOS/hardened_malloc.git

    +
    +
    +

    Enter hardened_malloc Local Git Repository

    +

    $ cd hardened_malloc/

    +
    +
    +

    Compile hardened_malloc

    +

    $ make <arguments>

    +

    CONFIG_N_ARENA=n can be adjusted to increase parallel + performance at the expense of memory usage, or decrease memory usage at the + expense of parallel performance, where n is an integer. Higher values + prefer parallel performance, lower values prefer lower memory usage. The number + of arenas has no impact on the security properties of hardened_malloc. +

      +
    • Minimum number of arenas: 1
      • +
    • Maximum number of arenas: 256
      • +
    +

    For extra security, CONFIG_SEAL_METADATA=true can be used in + order to control whether Memory Protection Keys are used to disable access to + all writable allocator state outside of the memory allocator code. It’s + currently disabled by default due to a significant performance cost for this use + case on current generation hardware. Whether or not this feature is enabled, the + metadata is all contained within an isolated memory region with high entropy + random guard regions around it.

    +

    For low-memory systems, VARIANT=light can be used to compile the + light variant of hardened_malloc, which sacrifices some security for much less + memory usage.

    +

    For all compile-time options, see the + configuration section + of hardened_malloc’s extensive official documentation.

    +
    +
    +

    Copy Compiled hardened_malloc Library

    +

    # cp out/libhardened_malloc.so <target path>

    +
    +
    +

    Set System to Preload hardened_malloc on Boot

    +

    musl-based systems: Add export LD_PRELOAD="<hardened_malloc path>" + to /etc/environment
    + glibc-based systems: Add <hardened_malloc path> to /etc/ld.so.preload

    +
    diff --git a/documentation/openssl_selfsigned_certificate_chain.html b/documentation/openssl_selfsigned_certificate_chain.html index ae49193..fcca315 100644 --- a/documentation/openssl_selfsigned_certificate_chain.html +++ b/documentation/openssl_selfsigned_certificate_chain.html @@ -5,7 +5,7 @@ - + @@ -29,104 +29,106 @@ -

    Documentation - OpenSSL Self-signed Certificate Chain

    -

    This documentation contains the complete set of commands to create a new OpenSSL self-signed - certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included - in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or - unencrypted, with multiple encryption options; AES (aes128 or aes256) - is recommended. Optional verification can also be performed between multiple levels of - certificates to ensure the chain of trust is valid.

    -

    This documentation is also available in portable AsciiDoc format in my - documentation source code repository. -

    -

    Table of Contents

    - -
    -
    -

    Create Certificate Authority Key

    -

    openssl genrsa <encryption type> -out <CA key name>.pem <key size>

    -
    -
    -

    Verify Certificate Authority Key

    -

    openssl rsa -noout -text -in <CA key name>.pem

    -
    -
    -

    Create Certificate Authority Certificate

    -

    openssl req -new -x509 -days <days of validity> -extensions v3_ca -key <CA key name>.pem -out <CA certificate name>.pem

    -
    -
    -

    Convert Certificate to PEM Format

    -

    openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM

    -
    -
    -

    Verify Certificate Authority Certificate

    -

    openssl x509 -noout -text -in <CA certificate name>.pem

    -
    -
    -

    Create Intermediate Certificate Authority Key

    -

    openssl genrsa <encryption type> -out <intermediate CA key name>.pem <key size> -

    -
    -

    Verify Intermediate Certificate Authority Key

    -

    openssl rsa -noout -text -in <intermediate CA key name>.pem

    -
    -
    -

    Create Intermediate Certificate Authority Signing Request

    -

    openssl req -new -sha256 -key <intermediate CA key name>.pem -out <intermediate CA certificate signing request name>.pem

    -
    -
    -

    Create Intermediate Certificate Authority Certificate

    -

    openssl ca -config <intermediate CA configuration file> -extensions v3_intermediate_ca -days <days of validity> -notext -md sha256 -in <intermediate CA signing request name>.pem -out <intermediate CA certificate name>.pem

    -
    -
    -

    Verify Intermediate Certificate Authority Certificate

    -

    openssl x509 -noout -text -in <intermediate CA certificate name>.pem

    -
    -
    -

    Verify Chain of Trust (CA to Intermediate)

    -

    openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem

    -
    -
    -

    Create Server Key

    -

    openssl genrsa <encryption type> -out <server key name>.pem <key size>

    -
    -
    -

    Verify Server Key

    -

    openssl rsa -noout -text -in <server key name>.pem

    -
    -
    -

    Create Server Certificate Signing Request

    -

    openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem

    -
    -
    -

    Create Server Certificate

    -

    openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem

    -
    -
    -

    Verify Server Certificate

    -

    openssl x509 -noout -text -in <server certificate name>.pem

    -
    -
    -

    Verify Chain of Trust (Intermediate to Server)

    -

    openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem

    -
    +
    +

    Documentation - OpenSSL Self-signed Certificate Chain

    +

    This documentation contains the complete set of commands to create a new OpenSSL self-signed + certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included + in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or + unencrypted, with multiple encryption options; AES (aes128 or aes256) + is recommended. Optional verification can also be performed between multiple levels of + certificates to ensure the chain of trust is valid.

    +

    This documentation is also available in portable AsciiDoc format in my + documentation source code repository. +

    +
    +

    Table of Contents

    + +
    +
    +

    Create Certificate Authority Key

    +

    openssl genrsa <encryption type> -out <CA key name>.pem <key size>

    +
    +
    +

    Verify Certificate Authority Key

    +

    openssl rsa -noout -text -in <CA key name>.pem

    +
    +
    +

    Create Certificate Authority Certificate

    +

    openssl req -new -x509 -days <days of validity> -extensions v3_ca -key <CA key name>.pem -out <CA certificate name>.pem

    +
    +
    +

    Convert Certificate to PEM Format

    +

    openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM

    +
    +
    +

    Verify Certificate Authority Certificate

    +

    openssl x509 -noout -text -in <CA certificate name>.pem

    +
    +
    +

    Create Intermediate Certificate Authority Key

    +

    openssl genrsa <encryption type> -out <intermediate CA key name>.pem <key size> +

    +
    +

    Verify Intermediate Certificate Authority Key

    +

    openssl rsa -noout -text -in <intermediate CA key name>.pem

    +
    +
    +

    Create Intermediate Certificate Authority Signing Request

    +

    openssl req -new -sha256 -key <intermediate CA key name>.pem -out <intermediate CA certificate signing request name>.pem

    +
    +
    +

    Create Intermediate Certificate Authority Certificate

    +

    openssl ca -config <intermediate CA configuration file> -extensions v3_intermediate_ca -days <days of validity> -notext -md sha256 -in <intermediate CA signing request name>.pem -out <intermediate CA certificate name>.pem

    +
    +
    +

    Verify Intermediate Certificate Authority Certificate

    +

    openssl x509 -noout -text -in <intermediate CA certificate name>.pem

    +
    +
    +

    Verify Chain of Trust (CA to Intermediate)

    +

    openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem

    +
    +
    +

    Create Server Key

    +

    openssl genrsa <encryption type> -out <server key name>.pem <key size>

    +
    +
    +

    Verify Server Key

    +

    openssl rsa -noout -text -in <server key name>.pem

    +
    +
    +

    Create Server Certificate Signing Request

    +

    openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem

    +
    +
    +

    Create Server Certificate

    +

    openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem

    +
    +
    +

    Verify Server Certificate

    +

    openssl x509 -noout -text -in <server certificate name>.pem

    +
    +
    +

    Verify Chain of Trust (Intermediate to Server)

    +

    openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem

    +
    From c662b4c696cbb6f01911d5d87045dd1ff1e910c1 Mon Sep 17 00:00:00 2001 From: inference Date: Sun, 8 Oct 2023 08:42:48 +0100 Subject: [PATCH 09/15] Link to project readme for official documentation --- documentation/hardened_malloc.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/hardened_malloc.html b/documentation/hardened_malloc.html index e6d69d3..d4dbcb5 100644 --- a/documentation/hardened_malloc.html +++ b/documentation/hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -39,7 +39,7 @@ documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and assumes the compiled library will be located in a path readable by all users of the system.

    For the complete hardened_malloc documentation, visit its - official documentation.

    + official documentation.

    This documentation is also available in portable AsciiDoc format in my documentation source code repository.

    From 30134a21a0c1ab86de48e0d19374c38b49cfab41 Mon Sep 17 00:00:00 2001 From: inference Date: Sun, 8 Oct 2023 08:47:18 +0100 Subject: [PATCH 10/15] Move navigation bar to HTML body --- documentation/hardened_malloc.html | 30 +++++++++---------- .../openssl_selfsigned_certificate_chain.html | 30 +++++++++---------- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/documentation/hardened_malloc.html b/documentation/hardened_malloc.html index d4dbcb5..ee593f6 100644 --- a/documentation/hardened_malloc.html +++ b/documentation/hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -14,21 +14,21 @@ - -
    - - Inferencium
    -
    -
    - - - - - - - -
    + +
    + + Inferencium
    +
    +
    + + + + + + + +

    Documentation - GrapheneOS hardened_malloc

    This documentation contains instructions to use diff --git a/documentation/openssl_selfsigned_certificate_chain.html b/documentation/openssl_selfsigned_certificate_chain.html index fcca315..bfa76b9 100644 --- a/documentation/openssl_selfsigned_certificate_chain.html +++ b/documentation/openssl_selfsigned_certificate_chain.html @@ -5,7 +5,7 @@ - + @@ -14,21 +14,21 @@ - -

    - - Inferencium
    -
    -
    - - - - - - - -
    + +
    + + Inferencium
    +
    +
    + + + + + + + +

    Documentation - OpenSSL Self-signed Certificate Chain

    This documentation contains the complete set of commands to create a new OpenSSL self-signed From 1e4e4e0314e4b928f27d29a1c7ed90d13284e934 Mon Sep 17 00:00:00 2001 From: inference Date: Sun, 8 Oct 2023 08:56:52 +0100 Subject: [PATCH 11/15] Fix line lengths to conform to code style --- documentation/hardened_malloc.html | 50 ++++++++++--------- .../openssl_selfsigned_certificate_chain.html | 15 +++--- 2 files changed, 35 insertions(+), 30 deletions(-) diff --git a/documentation/hardened_malloc.html b/documentation/hardened_malloc.html index ee593f6..6cbed85 100644 --- a/documentation/hardened_malloc.html +++ b/documentation/hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -33,11 +33,12 @@

    Documentation - GrapheneOS hardened_malloc

    This documentation contains instructions to use GrapheneOS hardened_malloc - memory allocator as the system's default memory allocator. These instructions apply to both musl - and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used - per-application and/or per-user, in which case root permissions are not required; this - documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and - assumes the compiled library will be located in a path readable by all users of the system.

    + memory allocator as the system's default memory allocator. These instructions apply to + both musl and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can + also be used per-application and/or per-user, in which case root permissions are not + required; this documentation focuses on system-wide usage of hardened_malloc, assumes + root privileges, and assumes the compiled library will be located in a path readable by + all users of the system.

    For the complete hardened_malloc documentation, visit its official documentation.

    This documentation is also available in portable AsciiDoc format in my @@ -57,8 +58,9 @@

    Increase Permitted Amount of Memory Pages

    -

    Add vm.max_map_count = 1048576 to /etc/sysctl.conf - to accommodate hardened_malloc’s large amount of guard pages.

    +

    Add vm.max_map_count = 1048576 to + /etc/sysctl.conf to accommodate hardened_malloc’s large + amount of guard pages.

    Clone hardened_malloc Source Code

    @@ -71,25 +73,27 @@

    Compile hardened_malloc

    $ make <arguments>

    -

    CONFIG_N_ARENA=n can be adjusted to increase parallel - performance at the expense of memory usage, or decrease memory usage at the - expense of parallel performance, where n is an integer. Higher values - prefer parallel performance, lower values prefer lower memory usage. The number - of arenas has no impact on the security properties of hardened_malloc. +

    CONFIG_N_ARENA=n can be adjusted to increase + parallel performance at the expense of memory usage, or decrease memory + usage at the expense of parallel performance, where n is an + integer. Higher values prefer parallel performance, lower values prefer + lower memory usage. The number of arenas has no impact on the security + properties of hardened_malloc.

    • Minimum number of arenas: 1
    • Maximum number of arenas: 256
    -

    For extra security, CONFIG_SEAL_METADATA=true can be used in - order to control whether Memory Protection Keys are used to disable access to - all writable allocator state outside of the memory allocator code. It’s - currently disabled by default due to a significant performance cost for this use - case on current generation hardware. Whether or not this feature is enabled, the - metadata is all contained within an isolated memory region with high entropy - random guard regions around it.

    -

    For low-memory systems, VARIANT=light can be used to compile the - light variant of hardened_malloc, which sacrifices some security for much less - memory usage.

    +

    For extra security, CONFIG_SEAL_METADATA=true can be + used in order to control whether Memory Protection Keys are used to + disable access to all writable allocator state outside of the memory + allocator code. It’s currently disabled by default due to a significant + performance cost for this use case on current generation hardware. + Whether or not this feature is enabled, the metadata is all contained + within an isolated memory region with high entropy random guard regions + around it.

    +

    For low-memory systems, VARIANT=light can be used to + compile the light variant of hardened_malloc, which sacrifices some + security for much less memory usage.

    For all compile-time options, see the configuration section of hardened_malloc’s extensive official documentation.

    diff --git a/documentation/openssl_selfsigned_certificate_chain.html b/documentation/openssl_selfsigned_certificate_chain.html index bfa76b9..56d8381 100644 --- a/documentation/openssl_selfsigned_certificate_chain.html +++ b/documentation/openssl_selfsigned_certificate_chain.html @@ -5,7 +5,7 @@ - + @@ -31,12 +31,13 @@

    Documentation - OpenSSL Self-signed Certificate Chain

    -

    This documentation contains the complete set of commands to create a new OpenSSL self-signed - certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included - in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or - unencrypted, with multiple encryption options; AES (aes128 or aes256) - is recommended. Optional verification can also be performed between multiple levels of - certificates to ensure the chain of trust is valid.

    +

    This documentation contains the complete set of commands to create a new OpenSSL + self-signed certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple + SANs can be included in a certificate by adding each domain as a comma-delimited string. + Each key can be encrypted or unencrypted, with multiple encryption options; AES + (aes128 or aes256) is recommended. Optional verification can + also be performed between multiple levels of certificates to ensure the chain of trust + is valid.

    This documentation is also available in portable AsciiDoc format in my documentation source code repository.

    From ee12864ce02a1757477b579221869fbcf1e87e2a Mon Sep 17 00:00:00 2001 From: inference Date: Sun, 8 Oct 2023 08:59:37 +0100 Subject: [PATCH 12/15] Fix broken apostrophes --- documentation/hardened_malloc.html | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/hardened_malloc.html b/documentation/hardened_malloc.html index 6cbed85..799c4d9 100644 --- a/documentation/hardened_malloc.html +++ b/documentation/hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -59,7 +59,7 @@

    Increase Permitted Amount of Memory Pages

    Add vm.max_map_count = 1048576 to - /etc/sysctl.conf to accommodate hardened_malloc’s large + /etc/sysctl.conf to accommodate hardened_malloc's large amount of guard pages.

    @@ -86,7 +86,7 @@

    For extra security, CONFIG_SEAL_METADATA=true can be used in order to control whether Memory Protection Keys are used to disable access to all writable allocator state outside of the memory - allocator code. It’s currently disabled by default due to a significant + allocator code. It's currently disabled by default due to a significant performance cost for this use case on current generation hardware. Whether or not this feature is enabled, the metadata is all contained within an isolated memory region with high entropy random guard regions @@ -96,7 +96,7 @@ security for much less memory usage.

    For all compile-time options, see the configuration section - of hardened_malloc’s extensive official documentation.

    + of hardened_malloc's extensive official documentation.

    Copy Compiled hardened_malloc Library

    From c9db4d01faf3351075fb9e64cae09061fbbc84c5 Mon Sep 17 00:00:00 2001 From: inference Date: Sun, 8 Oct 2023 23:57:27 +0100 Subject: [PATCH 13/15] Add variable tags to variables --- documentation/hardened_malloc.html | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/documentation/hardened_malloc.html b/documentation/hardened_malloc.html index 799c4d9..020e8f4 100644 --- a/documentation/hardened_malloc.html +++ b/documentation/hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -72,7 +72,7 @@

    Compile hardened_malloc

    -

    $ make <arguments>

    +

    $ make <arguments>

    CONFIG_N_ARENA=n can be adjusted to increase parallel performance at the expense of memory usage, or decrease memory usage at the expense of parallel performance, where n is an @@ -100,13 +100,15 @@

    Copy Compiled hardened_malloc Library

    -

    # cp out/libhardened_malloc.so <target path>

    +

    # cp out/libhardened_malloc.so <target path>

    Set System to Preload hardened_malloc on Boot

    -

    musl-based systems: Add export LD_PRELOAD="<hardened_malloc path>" +

    musl-based systems: Add export LD_PRELOAD="<hardened_malloc path>" to /etc/environment
    - glibc-based systems: Add <hardened_malloc path> to /etc/ld.so.preload

    + glibc-based systems: + Add <hardened_malloc path> to + /etc/ld.so.preload

    From be584f0a30d2bbd189d7dc983ce5771fab748cfc Mon Sep 17 00:00:00 2001 From: inference Date: Tue, 10 Oct 2023 02:44:00 +0100 Subject: [PATCH 14/15] Switch to unordered list for libc preloading instructions --- documentation/hardened_malloc.html | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/documentation/hardened_malloc.html b/documentation/hardened_malloc.html index 020e8f4..ca8a2ec 100644 --- a/documentation/hardened_malloc.html +++ b/documentation/hardened_malloc.html @@ -5,7 +5,7 @@ - + @@ -104,11 +104,16 @@

    Set System to Preload hardened_malloc on Boot

    -

    musl-based systems: Add export LD_PRELOAD="<hardened_malloc path>" - to /etc/environment
    - glibc-based systems: - Add <hardened_malloc path> to - /etc/ld.so.preload

    +

    +

      +
    • musl-based systems: Add + export LD_PRELOAD="<hardened_malloc path>" + to /etc/environment
      • +
    • glibc-based systems: + Add <hardened_malloc path> to + /etc/ld.so.preload
      • +
    +

    From 4a3a2dbf60208edb6a356273dd2a93f1bca06918 Mon Sep 17 00:00:00 2001 From: inference Date: Thu, 12 Oct 2023 14:19:40 +0100 Subject: [PATCH 15/15] Fix broken anchor --- documentation/openssl_selfsigned_certificate_chain.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/openssl_selfsigned_certificate_chain.html b/documentation/openssl_selfsigned_certificate_chain.html index 56d8381..eab8dd0 100644 --- a/documentation/openssl_selfsigned_certificate_chain.html +++ b/documentation/openssl_selfsigned_certificate_chain.html @@ -5,7 +5,7 @@ - + @@ -51,7 +51,7 @@
  • Verify Certificate Authority Certificate
  • Create Intermediate Certificate Authority Key
  • Verify Intermediate Certificate Authority Key
    • -
  • Create Intermediate Certificate Signing Request
    • +
  • Create Intermediate Certificate Signing Request
  • Create Intermediate Certificate Authority Certificate
  • Verify Intermediate Certificate Authority Certificate
  • Verify Chain of Trust (CA to Intermediate)