Add copyright and licensing header

README.md

@@ -1,33 +0,0 @@
-# Documentation
-Inferencium documentation.<br>
-<br>
-## Licensing
-All content is licensed under <a href="https://git.inferencium.net/Inferencium/doc/src/branch/stable/license/CC-BY-4.0.txt">Creative Commons Attribution 4.0 International</a> license.<br>
-<br>
-## Security
-All files are checked for security issues; however, it is always the user's responsibility to
-audit the code before installing and/or executing it.<br>
-<br>
-Inferencium takes no responsibility for any security issues which may arise due to usage of this
-repository.<br>
-<br>
-## Branches
-### <a href="https://git.inferencium.net/Inferencium/doc/src/branch/main/">main</a>
-Documentation root directory files pre-alpha development and alpha testing occurs in this
-branch.<br>
-Feature-complete modifications of this branch are merged to beta branch for beta testing.<br>
-<br>
-### <a href="https://git.inferencium.net/Inferencium/doc/src/branch/license/">license</a>
-Documentation license files pre-alpha and alpha testing occurs in this branch.<br>
-Feature-complete modifications of this branch are merged to beta branch for beta testing.<br>
-<br>
-### <a href="https://git.inferencium.net/Inferencium/doc/src/branch/beta/">beta</a>
-Feature-complete beta testing of merged code from development branches occurs in this branch.<br>
-Merges from development branches to this branch are squashed, and the updated versions of the
-individual files are mentioned in the commit messages.<br>
-<br>
-### <a href="https://git.inferencium.net/Inferencium/doc/src/branch/stable/">stable</a>
-Feature-complete and tested versions from beta branch are stored in this branch.<br>
-Merges from beta branch to this branch are squashed, and the updated versions of the individual
-files are mentioned in the commit messages.<br>
-This branch contains code used in production.

security/hardened_malloc.adoc

@@ -0,0 +1,64 @@
+= GrapheneOS hardened_malloc
+
+// Copyright 2023 Jake Winters
+// SPDX-License-Identifier: CC-BY-4.0
+
+Version: 0.1.1.13
+
+
+This documentation contains instructions to use
+https://github.com/GrapheneOS/hardened_malloc[GrapheneOS hardened_malloc] memory allocator as the
+system's default memory allocator. These instructions apply to both musl and glibc C libraries on
+Unix-based and Unix-like systems. hardened_malloc can also be used per-application and/or per-user,
+in which case root permissions are not required; this documentation focuses on system-wide usage
+of hardened_malloc, assumes root privileges, and assumes the compiled library will be located in a
+path readable by all users of the system.
+
+
+== Increase Permitted Amount of Memory Pages
+
+Add `vm.max_map_count = 1048576` to `/etc/sysctl.conf` to accommodate hardened_malloc's large amount
+of guard pages.
+
+== Clone hardened_malloc Source Code
+
+`$ git clone https://github.com/GrapheneOS/hardened_malloc.git`
+
+== Enter hardened_malloc Local Git Repository
+
+`$ cd hardened_malloc/`
+
+== Compile hardened_malloc
+
+`$ make <arguments>`
+
+`CONFIG_N_ARENA=n` can be adjusted to increase parallel performance at the expense of memory usage,
+or decrease memory usage at the expense of parallel performance, where `n` is an integer. Higher
+values prefer parallel performance, lower values prefer lower memory usage. The number of arenas has
+no impact on the security properties of hardened_malloc.
+
+* Minimum number of arenas: 1
+* Maximum number of arenas: 256
+
+For extra security, `CONFIG_SEAL_METADATA=true` can be used in order to control whether Memory
+Protection Keys are used to disable access to all writable allocator state outside of the memory
+allocator code. It's currently disabled by default due to a significant performance cost for this
+use case on current generation hardware. Whether or not this feature is enabled, the metadata is all
+contained within an isolated memory region with high entropy random guard regions around it.
+
+For low-memory systems, `VARIANT=light` can be used to compile the light variant of hardened_malloc,
+which sacrifices some security for much less memory usage.
+
+For all compile-time options, see the
+https://github.com/GrapheneOS/hardened_malloc#configuration[configuration section] of
+hardened_malloc's extensive official documentation.
+
+== Copy Compiled hardened_malloc Library
+
+`# cp out/libhardened_malloc.so <target_path>`
+
+== Set System to Preload hardened_malloc on Boot
+
+musl-based systems: Add `export LD_PRELOAD="<hardened_malloc_path>"` to `/etc/environment` +
+ +
+glibc-based systems: Add `<hardened_malloc_path>` to `/etc/ld.so.preload`

security/openssl_selfsigned_certificate_chain.adoc

@@ -0,0 +1,83 @@
+= OpenSSL Self-signed Certificate Chain
+
+// Copyright 2023 Jake Winters
+// SPDX-License-Identifier: CC-BY-4.0
+
+Version: 0.0.5.14
+
+
+This documentation contains the complete set of commands to create a new OpenSSL self-signed
+certificate chain with V3 subjectAltName (SAN) extensions enabled.
+Multiple SANs can be included in a certificate by adding each domain as a comma-delimited string.
+Each key can be encrypted or unencrypted, with multiple encryption options; AES is recommended.
+Optional verification can also be performed between multiple levels of certificates to ensure the
+chain of trust is valid.
+
+
+== Create Certificate Authority Key
+
+`openssl genrsa -aes256 -out ca-key.pem 4096`
+
+== Verify Certificate Authority Key
+
+`openssl rsa -noout -text -in ca-key.pem`
+
+== Create Certificate Authority Certificate
+
+`openssl req -new -x509 -days 3653 -extensions v3_ca -key ca-key.pem -out ca-crt.pem`
+
+== Convert Certificate to PEM Format
+
+`openssl x509 -in ca-crt.pem -out ca-crt.pem -outform PEM`
+
+== Verify Certificate Authority Certificate
+
+`openssl x509 -noout -text -in ca-crt.pem`
+
+== Create Intermediate Certificate Authority Key
+
+`openssl genrsa -aes256 -out intermediate-key.pem 4096`
+
+== Verify Intermediate Certificate Authority Key
+
+`openssl rsa -noout -text -in intermediate-key.pem`
+
+== Create Intermediate Certificate Signing Request
+
+`openssl req -new -sha256 -key intermediate-key.pem -out intermediate-csr.pem`
+
+== Create Intermediate Certificate Authority Certificate
+
+`openssl ca -config intermediate.conf -extensions v3_intermediate_ca -days 1096 -notext -md sha256 -in intermediate-csr.pem -out intermediate-crt.pem`
+
+== Verify Intermediate Certificate Authority Certificate
+
+`openssl x509 -noout -text -in intermediate-crt.pem`
+
+== Verify Chain of Trust (CA to Intermediate)
+
+`openssl verify -CAfile ca-crt.pem intermediate-crt.pem`
+
+== Create Server Key
+
+`openssl genrsa -aes256 -out server-key.pem 2048`
+
+== Verify Server Key
+
+`openssl rsa -noout -text -in server-key.pem`
+
+== Create Server Cerificate Signing Request
+
+`openssl req -new -sha256 -subj "/C=/ST=/L=/O=/CN=" -addext "subjectAltName = DNS.1:" -key server-key.pem -out server-csr.pem`
+
+== Create Server Certificate
+
+`openssl x509 -sha256 -req  -days 365 -in server-csr.pem -CA intermediate-crt.pem -CAkey intermediate-key.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out server-crt.pem`
+
+== Verify Server Certificate
+
+`openssl x509 -noout -text -in server-crt.pem`
+
+== Verify Chain of Trust (Intermediate to Server)
+
+`openssl verify -CAfile intermediate-crt.pem server-crt.pem`

security/security_levels.adoc

@@ -0,0 +1,71 @@
+= Security Levels
+
+// Copyright 2023 Jake Winters
+// SPDX-License-Identifier: CC-BY-4.0
+
+Version: 1.0.2.7
+
+
+== S0
+
+Intended access: Public
+
+Encryption: None
+
+Signing: Optional
+
+== S1
+
+Intended access: Authorised users of S1 or lower security levels
+
+Encryption: Enforced
+
+Signing: Enforced
+
+Permitted symmetrical encryption ciphers (order of preference):
+
+* AES
+* ChaCha20*
+* Twofish
+
+== S2
+
+Intended access: Authorised users of S2 or lower security levels
+
+Encryption: Enforced
+
+Signing: Enforced
+
+Permitted symmetrical encryption ciphers (order of preference):
+
+* AES
+* ChaCha20*
+* Twofish
+
+== S3
+
+Intended access: Authorised users of s3 or lower security levels
+
+Encryption: Enforced
+
+Signing: Enforced
+
+Permitted symmetrical encryption ciphers (order of preference):
+
+* AES
+* ChaCha20*
+
+== S4
+
+Intended access: Authorised users of s4 or lower security levels
+
+Encryption: Enforced
+
+Signing: Enforced
+
+Permitted symmetrical encryption ciphers (order of preference):
+
+* AES
+* ChaCha20*
+
+*Preferred when hardware-accelerated AES is unavailable.