2022-04-20 20:10:27 +00:00
### Install dependencies
2022-10-27 16:01:46 +00:00
- `xbps-install -Sy make gcc xz elfutils elfutils-devel flex ncurses-devel openssl openssl-devel argp-standalone gcc-ada mpc libmpc-devel gmp-devel perl`
2022-04-20 20:10:27 +00:00
### Steps to create
- `cd /usr/src/`
2022-10-27 16:01:46 +00:00
- `wget https://git.arrr.cloud/whichdoc/plague-kernel/-/raw/main/5.10-hardened.config -o linux-hardened-"$KVER"/.config`
- `/usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/5.10."$KVER"-hardened1.tar.gz"`
- `tar -xvf 5.10."$KVER"-hardened1.tar.gz`
- `cd 5.10."$KVER"-hardened1`
2022-04-20 20:10:27 +00:00
- `make oldconfig`
- `make menuconfig` # (if any changes are required)
2022-10-27 16:01:46 +00:00
- `make --jobs=4` # start compiling with your number of allocated threads
2022-04-20 20:10:27 +00:00
- `make modules_install` # create /lib/modules/$kver
2022-10-27 16:01:46 +00:00
- `cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-5.10."$KVER"-hardened1_1 && dracut --kver 5.10."$KVER"-hardened1_1 --force`
2022-04-20 20:10:27 +00:00
- `grub-mkconfig -o /boot/grub/grub.cfg`
- `xbps-reconfigure -fa`
### Steps to import/configure release
- Built into PlagueOS installer
### Troubleshooting:
2022-10-27 16:01:46 +00:00
- `lsinitrd -v /boot/initramfs-5.10."$KVER"-hardened1_1.img`
2022-04-20 20:10:27 +00:00
#### Additional Resources:
- https://www.kernel.org/doc/html/v5.10/
- https://github.com/Whonix/hardened-kernel
- https://docs.clip-os.org/clipos/kernel.html
- https://github.com/anthraxx/linux-hardened
- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
2022-05-21 23:50:53 +00:00
- https://notabug.org/anonymous-lestat/Void-Hardened-Kernel
2022-04-20 20:10:27 +00:00
- https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel
### Trimming Efforts
2022-05-21 23:50:53 +00:00
- While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the core purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.
2022-04-20 20:10:27 +00:00
| |PlagueOS (plague-kernel) |Whonix (LTS)|
|--- | --- | ---|
2022-05-21 23:50:53 +00:00
|Size (compressed)|159.2 MB |285.6 MB|
2022-04-20 20:10:27 +00:00
### Current kconfig-hardened-check results
#### Successes
Option | Desired Value | Source | Reason | Result |
|--- | --- | --- | --- | --- |
CONFIG_BUG | y |defconfig | self_protection | OK
CONFIG_GCC_PLUGINS | y |defconfig | self_protection | OK
CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK
CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK
CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK
CONFIG_REFCOUNT_FULL | y |defconfig | self_protection | OK: version >= 5.5
CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK
CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK
CONFIG_VMAP_STACK | y |defconfig | self_protection | OK
CONFIG_MICROCODE | y |defconfig | self_protection | OK
CONFIG_RETPOLINE | y |defconfig | self_protection | OK
CONFIG_X86_SMAP | y |defconfig | self_protection | OK
CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK
CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK
CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK
CONFIG_SECURITY_DMESG_RESTRICT | y | kspp | self_protection | OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection | OK
CONFIG_DEBUG_WX | y | kspp | self_protection | OK
CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection | OK
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK
CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK
CONFIG_DEBUG_LIST | y | kspp | self_protection | OK
CONFIG_DEBUG_SG | y | kspp | self_protection | OK
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection | OK
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection | OK
CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY_PAGESPAN | is not set | kspp | self_protection | OK
CONFIG_MODULE_SIG | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | OK
CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection | OK: CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL "y"
CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK
CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | OK
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK
CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | OK
CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | OK
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | OK
CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection | OK
CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection | OK
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | OK
CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | OK
CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | OK
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | OK
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK
CONFIG_AMD_IOMMU_V2 | y | my | self_protection | OK
CONFIG_SECURITY | y |defconfig | security_policy | OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK
CONFIG_SECURITY_WRITABLE_HOOKS | is not set | my | security_policy | OK: not found
CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | OK
CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK
CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK
CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK
CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK: CONFIG_DEVMEM "is not set"
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface | OK
CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface | OK
CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface | OK
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface | OK
CONFIG_KEXEC | is not set | kspp | cut_attack_surface | OK
CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface | OK
CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface | OK
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface | OK
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface | OK
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface | OK
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface | OK
CONFIG_OABI_COMPAT | is not set | kspp | cut_attack_surface | OK: not found
CONFIG_DEVMEM | is not set | kspp | cut_attack_surface | OK
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface | OK: CONFIG_DEVMEM "is not set"
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface | OK
CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_KPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_UPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_FUNCTION_TRACER | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_STACK_TRACER | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_HIST_TRIGGERS | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_BLK_DEV_IO_TRACE | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface | OK
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface | OK
CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface | OK
CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface | OK
CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | OK
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | OK
CONFIG_FAIL_FUTEX | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_PUNIT_ATOM_DEBUG | is not set |grsecurity| cut_attack_surface | OK
CONFIG_ACPI_CONFIGFS | is not set |grsecurity| cut_attack_surface | OK
CONFIG_EDAC_DEBUG | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DRM_I915_DEBUG | is not set |grsecurity| cut_attack_surface | OK
CONFIG_BCACHE_CLOSURES_DEBUG | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DVB_C8SECTPFE | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_MTD_SLRAM | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_MTD_PHRAM | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_IO_URING | is not set |grsecurity| cut_attack_surface | OK
CONFIG_RSEQ | is not set |grsecurity| cut_attack_surface | OK
CONFIG_LATENCYTOP | is not set |grsecurity| cut_attack_surface | OK
CONFIG_KCOV | is not set |grsecurity| cut_attack_surface | OK
CONFIG_PROVIDE_OHCI1394_DMA_INIT | is not set |grsecurity| cut_attack_surface | OK
CONFIG_SUNRPC_DEBUG | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_PTDUMP_DEBUGFS | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK
CONFIG_BLK_DEV_FD | is not set |maintainer| cut_attack_surface | OK
CONFIG_AIO | is not set |grapheneos| cut_attack_surface | OK
CONFIG_STAGING | is not set | clipos | cut_attack_surface | OK
CONFIG_KSM | is not set | clipos | cut_attack_surface | OK
CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface | OK
CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface | OK
CONFIG_USER_NS | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK
CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface | OK
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface | OK
CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface | OK
CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_attack_surface | OK
CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | OK
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK: not found
CONFIG_KPROBES | is not set | lockdown | cut_attack_surface | OK
CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | OK
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | OK: not found
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | OK: not found
CONFIG_IP_DCCP | is not set | my | cut_attack_surface | OK
CONFIG_FTRACE | is not set | my | cut_attack_surface | OK
CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | OK: not found
CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface | OK
CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | OK
2022-05-21 23:50:53 +00:00
CONFIG_IP_SCTP | is not set | my | cut_attack_surface | OK
2022-04-20 20:10:27 +00:00
#### Fails
Option | Desired Value | Source | Reason | Result |
|--- | --- | --- | --- | --- |
CONFIG_SLUB_DEBUG | y |defconfig | self_protection | FAIL: "is not set"
CONFIG_X86_UMIP | y |defconfig | self_protection | FAIL: "is not set"
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | y | kspp | self_protection | FAIL: not found
CONFIG_UBSAN_BOUNDS | y |maintainer| self_protection | FAIL: not found
CONFIG_UBSAN_SANITIZE_ALL | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
CONFIG_UBSAN_TRAP | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set"
CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y"
CONFIG_MODULES | is not set | kspp | cut_attack_surface | FAIL: "y"
CONFIG_KCMP | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m"
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y"
```
2022-05-21 23:50:53 +00:00
Totals: 'OK' - 148 / 'FAIL' - 16
