#!/bin/bash ## Script is designed to streamline the self-compilation process for the end-user. ## This entails staging linux-hardened, pulling PlagueOS kernel configuration, fingerprinting hardware, then compiling the minimalist kernel. ## Main benefit of self-compilation is you are not reliant on the upstream hardened configuration that must support various classes of hardware. ### This kernel is your own. # Ensure /boot is writeable mount -o remount,rw /boot # Set Kernel Version (KVER) function set_kver() { echo "Enter the kernel version to use (e.g., '6.6.18-hardened1'):" while true; do read -e -i "${KVER:-}" -p "" KVER if [[ $(echo $KVER | grep -E '^[0-9]+\.[0-9]+\.[0-9]+(-hardened1)$') == '' ]]; then echo "Invalid format."; else break; fi done } # Invoke function to prompt end-user for desired version (must be an active release in the Anthraxx Linux-Hardened repository) set_kver # Dependencies declare -A osInfo osInfo[/etc/void-release]="xbps" osInfo[/etc/fedora-release]="dnf" osInfo[/etc/debian_version]="apt-get" echo "Package manager: $package_manager" for f in ${!osInfo[@]} do if [[ -f $f ]]; then package_manager=${osInfo[$f]} if [[ $package_manager == "xbps" ]]; then xbps-install -Sy make gcc xz elfutils elfutils-devel flex ncurses-devel openssl openssl-devel argp-standalone gcc-ada mpc libmpc-devel gmp-devel perl elif [[ $package_manager == "dnf" ]]; then sudo dnf install binutils /usr/include/{libelf.h,openssl/pkcs7.h} \ /usr/bin/{bc,bison,flex,gcc,git,openssl,make,perl,pahole,zstd} elif [[ $package_manager == "apt-get" ]]; then sudo apt-get install build-essential linux-source bc kmod cpio flex libncurses5-dev libelf-dev libssl-dev dwarves bison fi fi done # Staging w/ error handling # Pull down Anthraxx linux-hardened upstream if [[ ! -f /usr/src/"$KVER".tar.gz ]]; then /usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/$KVER.tar.gz" fi if [[ ! -d /usr/src/linux-hardened-"$KVER" ]]; then tar -xf "$KVER".tar.gz -C /usr/src/ fi cd /usr/src/linux-hardened-"$KVER" # Pull down plague kconfig wget https://0xacab.org/optout/plague-kernel/-/raw/main/host_hardened.config -O .config # wget https://0xacab.org/optout/plague-kernel/-/raw/main/virt_hardened.config -O .config ## virt_hardened.config is still a WIP # Prompt if baseline Plague kernel is desired ## If not, proceed to fingerprint device read -p "Do you want create a custom kernel tailored to your hardware? (y/n)" response response=$(echo $response | tr '[:upper:]' '[:lower:]') if [[ $response == "y" ]]; then echo "Tailoring kernel configuration to your hardware" make localmodconfig else echo "Using baseline Plague kernel configuration" fi read -p "Do you want to open the kernel configuration editor? (y/n)" response response=$(echo $response | tr '[:upper:]' '[:lower:]') if [[ $response == "y" ]]; then make menuconfig else echo "Proceeding to compile" fi # compile make -j $(nproc --all) make modules_install INSTALL_MOD_STRIP=1 install # Determine commands needed via osInfo for f in ${!osInfo[@]} do if [[ -f $f ]]; then package_manager=${osInfo[$f]} if [[ $package_manager == "xbps" ]]; then cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-"$KVER" dracut --kver "$KVER" --force grub-mkconfig -o /boot/grub/grub.cfg xbps-reconfigure -fa /usr/bin/update-grub elif [[ $package_manager == "dnf" ]]; then command -v installkernel elif [[ $package_manager == "apt-get" ]]; then cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-"$KVER" dracut --kver "$KVER" --force update-grub2 fi fi done # Remove sysmap/signing keys rm /lib/modules/"$KVER"_1/source/certs/signing_key* rm /lib/modules/"$KVER"_1/source/System.map rm /lib/modules/"$KVER"_1/source rm /lib/modules/"$KVER"_1/build echo "Congrats! Your custom kernel based on the PlagueOS kernel configuration has been installed." echo "Reboot now? (y/N): " read reboot_opt if [[ "$reboot_opt" == "Y" ]]; then reboot else exit fi