Distro-agnostic self-compilation script added | linux_virt_hardened config added (works with Whonix / Kicksecure) | Phased out 5.10 config

2024-03-01 17:06:58 +00:00 · 2024-03-01 17:06:58 +00:00 · d2db61fc7f
parent 23abf3867b
commit d2db61fc7f
3 changed files with 4997 additions and 7453 deletions
--- a/5.10-hardened.config
+++ b/5.10-hardened.config
--- a/linux_virt_hardened.config
+++ b/linux_virt_hardened.config
--- a/self_compilation.sh
+++ b/self_compilation.sh
@ -0,0 +1,100 @@
+#!/bin/bash
+## Script is designed to streamline the self-compilation process for the end-user. 
+## This entails staging linux-hardened, pulling PlagueOS kernel configuration, fingerprinting hardware, then compiling the minimalist kernel. 
+## Main benefit of self-compilation is you are not reliant on the upstream hardened configuration that must support various classes of hardware.
+### This kernel is your own. 
+
+# Ensure /boot is writeable
+mount -o remount,rw /boot
+
+# Set Kernel Version (KVER)
+function set_kver() {
+    echo "Enter the kernel version to use (e.g., '6.6.18-hardened1'):"
+    while true; do
+        read -e -i "${KVER:-}" -p "" KVER
+        if [[ $(echo $KVER | grep -E '^[0-9]+\.[0-9]+\.[0-9]+(-hardened1)$') == '' ]]; then
+            echo "Invalid format.";
+        else
+            break;
+        fi
+    done
+}
+
+# Invoke function to prompt end-user for desired version (must be an active release in the Anthraxx Linux-Hardened repository)
+set_kver
+
+# Dependencies
+declare -A osInfo
+osInfo[/etc/void-release]="xbps"
+osInfo[/etc/fedora-release]="dnf"
+osInfo[/etc/debian_version]="apt-get"
+
+echo "Package manager: $package_manager"
+
+for f in ${!osInfo[@]}
+do
+    if [[ -f $f ]]; then
+        package_manager=${osInfo[$f]}
+        if [[ $package_manager == "xbps" ]]; then
+            xbps-install -Sy make gcc xz elfutils elfutils-devel flex ncurses-devel openssl openssl-devel argp-standalone gcc-ada mpc libmpc-devel gmp-devel perl
+        elif [[ $package_manager == "dnf" ]]; then
+            sudo dnf install binutils /usr/include/{libelf.h,openssl/pkcs7.h} \
+              /usr/bin/{bc,bison,flex,gcc,git,openssl,make,perl,pahole,zstd}
+        elif [[ $package_manager == "apt-get" ]]; then
+            sudo apt-get install build-essential linux-source bc kmod cpio flex libncurses5-dev libelf-dev libssl-dev dwarves bison
+        fi
+    fi
+done
+
+
+# Staging w/ error handling
+# Pull down Anthraxx linux-hardened upstream
+if [[ ! -f /usr/src/"$KVER".tar.gz ]]; then
+	/usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/$KVER.tar.gz"
+fi
+
+if [[ ! -d /usr/src/linux-hardened-"$KVER" ]]; then
+	tar -xf "$KVER".tar.gz -C /usr/src/
+fi
+
+cd /usr/src/linux-hardened-"$KVER"
+
+# Pull down plague kconfig
+wget https://0xacab.org/optout/plague-kernel/-/raw/main/6.6.18-hardened1.config -O .config
+make localmodconfig
+# make menuconfig # if tweaks are desired
+
+# compile
+make -j $(nproc --all)
+make modules_install INSTALL_MOD_STRIP=1 install
+
+# Re-determine via osInfo commands needed
+for f in ${!osInfo[@]}
+do
+    if [[ -f $f ]]; then
+        package_manager=${osInfo[$f]}
+        if [[ $package_manager == "xbps" ]]; then
+                cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-"$KVER"
+	            dracut --kver "$KVER" --force
+	            grub-mkconfig -o /boot/grub/grub.cfg
+	            xbps-reconfigure -fa
+	            /usr/bin/update-grub
+        elif [[ $package_manager == "dnf" ]]; then
+            command -v installkernel
+        elif [[ $package_manager == "apt-get" ]]; then
+            cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-"$KVER"
+	        dracut --kver "$KVER" --force
+            update-grub2
+        fi
+    fi
+done
+
+echo "Congrats! Your custom kernel based on the PlagueOS kernel configuration has been installed."
+echo "Reboot now? (y/N): "
+read reboot_opt
+
+if [[ "$reboot_opt" == "Y" ]]; then
+	reboot
+else
+	exit
+fi