For years I have been telling myself that it’s a bit too much for a single person to try and manage a distro, but now I think it’s time to give it a go. I’ve been working with Yocto for years at this point, and I have some idea what maintaining a Yocto distro requires. I’m not sure if I’m at the “Peak of Mount Stupid” or “Plateau of Sustainability” on the Dunning-Kruger curve, but let’s not worry about that too much yet.
My idea is to create a secure Yocto distribution that is free to use, “quite” “simple” and perhaps at times frustratingly hardened (but all for the good cause). I named it Sulka, more on the name a bit later. You can find the current version from this repository (no tagged releases yet). I am somewhat hopeful it will be easier to manage a Yocto distribution because it is a much narrower target than a general purpose distro like Ubuntu. And because it’s security-oriented, I can remove a lot of features, making it even simpler.
Existing Alternatives
There are a few secure alternatives to Yocto’s default reference distribution Poky. Wind River Linux is a common commercial solution. I also found The Embedded Kit Welma and TimeSys VigiShield when doing some research on the topic, but I’m personally not familiar with these two. The Yocto meta-layer meta-security has this meta-hardening sub-layer that contains a good hardening distro as well.
All in all, my idea is not really completely unique. But I thought that it’d be interesting to apply the learnings from my Yocto Hardening blog series into something actually useful. Sulka is also free and open-source, so it’s a bit different in that sense compared to the commercial solutions. A closer comparison would be with the open-source meta-hardening layer, but I hope that by developing this stuff on my repo I can move faster and add features that might not necessarily fit the generic security repo.
Of course, I know that something being “free” isn’t the selling point, because the price of the commercial solutions comes from the promised long-term support, not from the distro itself. Any fool can create a distro, but it takes an actual professional to maintain a distro for 10 years. And yes, I’m the fool in this scenario. But let’s see in 10 years.
More Bragging
As mentioned, Yocto already has a distro named Poky. However, as it is the official reference distribution, it has to be quite easy to build and get started with. Also, as it supports multiple different reference hardware and use cases, it cannot be fully minimized. It’s good for what it’s supposed to be, a tool for starting, but after that, it becomes a bit of a security risk. Poky even mentions in the login message that it should not be used in production. I mean, by default, passwordless root login is possible, which is good for getting familiar with the system, but bad for everything else.
Can Sulka be used in production builds then? Well, I don’t know, I don’t think anyone besides me has used it in anything, and even I’ve been running it mostly in QEMU. But the idea is to create a minimal distribution that is hardened by default, so it is a step up from Poky security-wise. Sulka is currently pretty much a drop-in replacement, so if you want to give it a try, it should be simple if you’re somewhat familiar with Yocto. There are a few variables to configure, but these are covered in the README.
Features
Currently, (at least) the following features are in place:
- Firewall that drops everything
- A non-root service user with optional sudo permissions
- If SSH is enabled, harden configuration and enforce certificate sign-ins (for OpenSSH)
- Check for dangerous
IMAGE_FEATURESlikedebug-tweaks - Kernel hardening (still ongoing)
More stuff is being constantly pushed, and I think this list is a bit outdated already. Things are still moving fast, so integrating the distro is a bit of a moving target, but I’m currently trying to keep the disruptions minimal. Still, every now and then there will be breaking changes until the 1.0.0 release, which is still quite far away in the horizon. However, I wanted to start making noise about Sulka before that to gauge the interest a bit.
One thing that is missing is the documentation (and testing). There is a quick start section in the README that shows how to build and configure the distro, but perhaps some features could be better documented. Like the firewall for example, as it currently has to be configured to do anything useful. Overriding kernel configurations is tricky as well if you’re not too familiar with Yocto.
I’m kind of hoping that in the future this will grow into something even more interesting, but let’s see. One step at a time. Sulka focuses on the distribution part of the system hardening, meaning in practice the Linux kernel and user space hardening. This leaves out things like the boot flow hardening which is crucial from the complete system security point of view. However, the distro part is quite generic without many board-specific features, so it is easy to start out with that. Perhaps in the future, there will be a whole secure reference implementation, but that is a bit of a pipe dream at the moment.
About Name
What does the name mean then? I know it’s a bit risky move to choose a non-English word for a name, but at least in Finnish “sulka” means “feather”. It is also kind of a wordplay on “sulautetut järjestelmät” which means “embedded systems” in Finnish. And Sulka is a five-letter word, I have heard that is the most important thing when naming something. Now I’m just waiting for someone to tell me it means ****, *** ******, or even *** ****** ** ****** in their language.
The End of a Beginning
That’s all for now. If you end up giving this distro a try or actually using it somewhere, I’d love to hear about it. The beginning of a new project is always a bit discouraging when you push stuff and have no idea if it’s any use for anyone. Also knowing that someone uses the distro forces me to think a bit more about the backwards compatibility etc. If you have some hardening features you’d like to see in Sulka, please open an issue in the repo, send me a message on LinkedIn, or try smoke signals. It’d be great to hear about security features I may have missed. Thanks for reading!
And in case you missed the half a dozen links to the meta-sulka-distro, here’s the link one more time.
