README.md

@@ -11,11 +11,6 @@
 ### Trimming Efforts
 - While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.
 
-|Plague |
-|--- | --- |
-|Size (/lib/modules/)|47.0 MB |
-|Size (vmlinuz)|8.1 MB|
-
 
 ### Current kconfig-hardened-check results
 #### Successes
@@ -190,7 +185,6 @@ CONFIG_TRIM_UNUSED_KSYMS                |     y      |    my    |cut_attack_surf
 CONFIG_MODULE_FORCE_LOAD                | is not set |    my    |cut_attack_surface| OK
 CONFIG_COREDUMP                         | is not set |  clipos  | harden_userspace | OK
 CONFIG_ARCH_MMAP_RND_BITS               |     32     |    my    | harden_userspace | OK
-CONFIG_BINFMT_MISC                      | is not set |   kspp   |cut_attack_surface| OK
 
 #### Fails
 Option | Desired Value | Source | Reason | Result |
@@ -216,6 +210,7 @@ CONFIG_CFI_CLANG                        |     y      |   kspp   | self_protectio
 CONFIG_CFI_PERMISSIVE                   | is not set |   kspp   | self_protection  | FAIL: CONFIG_CFI_CLANG is not "y"
 CONFIG_SECURITY_SELINUX_BOOTPARAM       | is not set |   kspp   | security_policy  | FAIL: "y"
 CONFIG_SECURITY_SELINUX_DEVELOP         | is not set |   kspp   | security_policy  | FAIL: "y"
+CONFIG_BINFMT_MISC                      | is not set |   kspp   |cut_attack_surface| FAIL: "m"
 CONFIG_MODULES                          | is not set |   kspp   |cut_attack_surface| FAIL: "y"
 CONFIG_FAIL_FUTEX                       | is not set |  grsec   |cut_attack_surface| OK: is not found
 CONFIG_KCMP                             | is not set |  grsec   |cut_attack_surface| FAIL: "y"
@@ -225,5 +220,5 @@ CONFIG_USER_NS                          | is not set |  clipos  |cut_attack_surf
 CONFIG_BPF_SYSCALL                      | is not set | lockdown |cut_attack_surface| FAIL: "y"
 
 ```
-[+] Config check is finished: 'OK' - 169 / 'FAIL' - 27
+[+] Config check is finished: 'OK' - 168 / 'FAIL' - 28
 

fedora_build.sh

@@ -11,7 +11,7 @@ sudo dnf install binutils /usr/include/{libelf.h,openssl/pkcs7.h} \
 
 # Staging w/ error handling
 if [[ ! -f /usr/src/"$KVER".tar.gz ]]; then
-	/usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/"$KVER".tar.gz"
+	/usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/$KVER.tar.gz"
 fi
 
 if [[ ! -d /usr/src/linux-hardened-"$KVER" ]]; then
@@ -19,7 +19,7 @@ if [[ ! -d /usr/src/linux-hardened-"$KVER" ]]; then
 fi
 
 cd /usr/src/linux-hardened-"$KVER"
-wget https://0xacab.org/optout/plague-kernel/-/raw/main/"$KVER".config -O .config
+wget https://0xacab.org/optout/plague-kernel/-/raw/main/6.6.13-hardened.config -O .config
 
 
 # Compilation
@@ -33,9 +33,10 @@ make -j $(nproc --all)
 # Installing kernel
 ## Ensure /boot is rw
 mount -o remount,rw /boot
-make -j $(nproc --all)
+command -v installkernel && sudo make modules_install install
-command -v installkernel && make modules_install INSTALL_MOD_STRIP=1 install
 
 # remove sysmap/signing keys
 rm /lib/modules/"$KVER"_1/source/certs/signing_key*
-rm /lib/modules/"$KVER"_1/source/System.map
+rm /lib/modules/"$KVER"_1/source/System.map
+rm /lib/modules/"$KVER"_1/source
+rm /lib/modules/"$KVER"_1/build