Additions to self_compilation.sh w/ added logic | README updates | Phased out original build scripts

2024-03-02 02:26:41 +00:00 · 2024-03-02 02:26:41 +00:00 · fd18d6d85c
parent d2db61fc7f
commit fd18d6d85c
4 changed files with 56 additions and 138 deletions
--- a/README.md
+++ b/README.md
@ -1,6 +1,27 @@
-### Steps to create
-1. Set the KVER variable to which version you want to obtain from Anthraxx's linux-hardened repository
-2. Run `bash void_build.sh` if running Void Linux OR `bash fedora_build.sh` if running Fedora
+### What is the Plague kernel?
+The Plague kernel was initially designed for PlagueOS (hardened Void Linux musl), however the project has taken a life of its own. The kernel is distro-agnostic, therefore it can be ran on Debian, Fedora, Void Linux, and many more. The script detailed below allows for self-compilation of the Plague kernel, along with the option to tailor a custom kernel to your specific hardware.
+
+The script performs a variety of functions:
+- Installs needed dependencies for compilation
+- Stages desired linux-hardened kernel under `/usr/src/`
+- Imports Plague kernel configuration (KSPP recommendations applied + trimming)
+- (Optional) Cut attack surface further by evaluating mapped modules on current system, thus deselecting a variety of bloat from the configuration
+- Remove unnecessary artifacts such as System.map & signing keys
+
+### Steps to self-compile
+1. Set the KVER variable to which version you want to obtain from Anthraxx's [linux-hardened](https://github.com/anthraxx/linux-hardened) repository
+2. Run `bash ./self_compilation.sh`
+    Note: If you are planning on mapping modules used by your system when prompted via the script, we highly recommend that you access peripherals such as Webcams, adapters, USBs, protocols such as Bluetooth prior to running the script, if they are desired. 
+
+
+### Trimming Efforts
+- While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.
+
+| | Plague (Virt) | Plague | TAILS | Whonix | Vanilla |
+| --- | --- |--- | --- | --- | --- | 
+| Size (/lib/modules/)| 1.8 MB | 31.0 MB | 89.0 MB | 89.0 MB | 126.0 MB |
+| Size (vmlinuz) | 7.9 MB | 8.0 MB | 7.8 MB | 7.8 MB | 14.0 MB | 
+| No. of modules | 69 | 1409 | 4039 | 4044 | 4402 |

 #### Additional Resources:
 - https://docs.clip-os.org/clipos/kernel.html
@ -8,17 +29,7 @@
 - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
 - https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel

-### Trimming Efforts
- While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.
-
-| | Plague | TAILS | Whonix | Vanilla |
-| --- |--- | --- | --- | --- | 
-| Size (/lib/modules/)| 31.0 MB | 89.0 MB | 89.0 MB | 126.0 MB |
-| Size (vmlinuz) | 8.0 MB | 7.8 MB | 7.8 MB | 14.0 MB | 
-| No. of modules | 1409 | 4039 | 4044 | 4402 |
-
-
-### Current kconfig-hardened-check results
+### Current [kernel-hardening-checker](https://github.com/a13xp0p0v/kernel-hardening-checker) results
 #### Successes

 Option | Desired Value | Source | Reason | Result |
--- a/fedora_build.sh
+++ b/fedora_build.sh
@ -1,55 +0,0 @@
-#!/bin/bash
-
-# Set VAR
-KVER='6.6.18-hardened1'
-#KVER='5.10.145-hardened1'
-
-# Dependencies
-sudo dnf install binutils /usr/include/{libelf.h,openssl/pkcs7.h} \
-  /usr/bin/{bc,bison,flex,gcc,git,openssl,make,perl,pahole,zstd}
-
-function set_kver() {
-    echo "Enter the kernel version to use (e.g., '6.6.15-hardened1'):"
-    while true; do
-        read -e -i "${KVER:-}" -p "" KVER
-        if [[ $(echo $KVER | grep -E '^[0-9]+\.[0-9]+\.[0-9]+(-hardened1)$') == '' ]]; then
-            echo "Invalid format.";
-        else
-            break;
-        fi
-    done
-}
-
-# Invoke function to prompt end-user for desired version (must be an active release in the Anthraxx Linux-Hardened repository)
-set_kver
-
-# Staging w/ error handling
-if [[ ! -f /usr/src/"$KVER".tar.gz ]]; then
-	/usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/"$KVER".tar.gz"
-fi
-
-if [[ ! -d /usr/src/linux-hardened-"$KVER" ]]; then
-	tar -xf "$KVER".tar.gz -C /usr/src/
-fi
-
-cd /usr/src/linux-hardened-"$KVER"
-wget https://0xacab.org/optout/plague-kernel/-/raw/main/6.6.15-hardened1.config -O .config
-
-
-# Compilation
-yes "" | make olddefconfig
-make menuconfig
-# Exit if making no changes
-
-echo "Compiling "$KVER""
-make -j $(nproc --all)
-
-# Installing kernel
-## Ensure /boot is rw
-mount -o remount,rw /boot
-make -j $(nproc --all)
-command -v installkernel && make modules_install INSTALL_MOD_STRIP=1 install
-
-# remove sysmap/signing keys
-rm /lib/modules/"$KVER"_1/source/certs/signing_key*
-rm /lib/modules/"$KVER"_1/source/System.map
--- a/self_compilation.sh
+++ b/self_compilation.sh
@ -61,24 +61,41 @@ cd /usr/src/linux-hardened-"$KVER"

 # Pull down plague kconfig
 wget https://0xacab.org/optout/plague-kernel/-/raw/main/6.6.18-hardened1.config -O .config
-make localmodconfig
-# make menuconfig # if tweaks are desired
+
+# Prompt if baseline Plague kernel is desired
+## If not, proceed to fingerprint device
+read -p "Do you want create a custom kernel tailored to your hardware? (y/n)" response
+response=$(echo $response | tr '[:upper:]' '[:lower:]')
+if [[ $response == "y" ]]; then
+    echo "Tailoring kernel configuration to your hardware"
+    make localmodconfig
+else
+    echo "Using baseline Plague kernel configuration"
+fi
+
+read -p "Do you want to open the kernel configuration editor? (y/n)" response
+response=$(echo $response | tr '[:upper:]' '[:lower:]')
+if [[ $response == "y" ]]; then
+    make menuconfig
+else
+    echo "Proceeding to compile"
+fi

 # compile
 make -j $(nproc --all)
 make modules_install INSTALL_MOD_STRIP=1 install

-# Re-determine via osInfo commands needed
+# Determine commands needed via osInfo 
 for f in ${!osInfo[@]}
 do
    if [[ -f $f ]]; then
        package_manager=${osInfo[$f]}
        if [[ $package_manager == "xbps" ]]; then
-                cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-"$KVER"
-	            dracut --kver "$KVER" --force
-	            grub-mkconfig -o /boot/grub/grub.cfg
-	            xbps-reconfigure -fa
-	            /usr/bin/update-grub
+            cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-"$KVER"
+	        dracut --kver "$KVER" --force
+	        grub-mkconfig -o /boot/grub/grub.cfg
+	        xbps-reconfigure -fa
+	        /usr/bin/update-grub
        elif [[ $package_manager == "dnf" ]]; then
            command -v installkernel
        elif [[ $package_manager == "apt-get" ]]; then
@ -89,6 +106,12 @@ do
    fi
 done

+# Remove sysmap/signing keys
+rm /lib/modules/"$KVER"_1/source/certs/signing_key*
+rm /lib/modules/"$KVER"_1/source/System.map
+rm /lib/modules/"$KVER"_1/source
+rm /lib/modules/"$KVER"_1/build
+
 echo "Congrats! Your custom kernel based on the PlagueOS kernel configuration has been installed."
 echo "Reboot now? (y/N): "
 read reboot_opt
--- a/void_build.sh
+++ b/void_build.sh
@ -1,61 +0,0 @@
-#!/bin/bash
-
-# Set Kernel Version Variable
-#KVER='6.6.15-hardened1'
-#KVER='5.10.145-hardened1'
-
-# Dependencies
-xbps-install -Sy make gcc xz elfutils elfutils-devel flex ncurses-devel openssl openssl-devel argp-standalone gcc-ada mpc libmpc-devel gmp-devel perl
-
-function set_kver() {
-    echo "Enter the kernel version to use (e.g., '6.6.15-hardened1'):"
-    while true; do
-        read -e -i "${KVER:-}" -p "" KVER
-        if [[ $(echo $KVER | grep -E '^[0-9]+\.[0-9]+\.[0-9]+(-hardened1)$') == '' ]]; then
-            echo "Invalid format.";
-        else
-            break;
-        fi
-    done
-}
-
-# Invoke function to prompt end-user for desired version (must be an active release in the Anthraxx Linux-Hardened repository)
-set_kver
-
-# Staging w/ error handling
-if [[ ! -f /usr/src/"$KVER".tar.gz ]]; then
-	/usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/$KVER.tar.gz"
-fi
-
-if [[ ! -d /usr/src/linux-hardened-"$KVER" ]]; then
-	tar -xf "$KVER".tar.gz -C /usr/src/
-fi
-
-cd /usr/src/linux-hardened-"$KVER"
-wget https://0xacab.org/optout/plague-kernel/-/raw/main/6.6.15-hardened1.config -O .config
-
-
-# Address system and file timing for clock skew runtime compilation error
-plague-time-sync
-find . -type f | xargs -n 5 touch
-make clean
-
-# Compilation
-make oldconfig
-make menuconfig
-
-echo "Compiling "$KVER""
-make -j $(nproc --all)
-make modules_install INSTALL_MOD_STRIP=1 install
-
-# Ensure /boot is rw
-mount -o remount,rw /boot
-cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-"$KVER"_1
-dracut --kver "$KVER"_1 --force
-grub-mkconfig -o /boot/grub/grub.cfg
-
-# remove sysmap/signing keys
-rm /lib/modules/"$KVER"_1/source/certs/signing_key*
-rm /lib/modules/"$KVER"_1/source/System.map
-rm /lib/modules/"$KVER"_1/source
-rm /lib/modules/"$KVER"_1/build