150 lines
4.9 KiB
Bash
150 lines
4.9 KiB
Bash
#!/bin/bash
|
|
## Script is designed to streamline the self-compilation process for the end-user.
|
|
## This entails staging linux-hardened, pulling PlagueOS kernel configuration, fingerprinting hardware, then compiling the minimalist kernel.
|
|
## Main benefit of self-compilation is you are not reliant on the upstream hardened configuration that must support various classes of hardware.
|
|
### This kernel is your own.
|
|
|
|
# Ensure /boot is writeable
|
|
mount -o remount,rw /boot
|
|
|
|
# Set Kernel Version (KVER)
|
|
function set_kver() {
|
|
echo "Enter the kernel version to use (e.g., '6.6.25-hardened1'):"
|
|
while true; do
|
|
read -e -i "${KVER:-}" -p "" KVER
|
|
if [[ $(echo $KVER | grep -E '^[0-9]+\.[0-9]+\.[0-9]+(-hardened1)$') == '' ]]; then
|
|
echo "Invalid format.";
|
|
else
|
|
break;
|
|
fi
|
|
done
|
|
}
|
|
|
|
# Invoke function to prompt end-user for desired version (must be an active release in the Anthraxx Linux-Hardened repository)
|
|
set_kver
|
|
|
|
function check_distro(){
|
|
declare -r distroId="$(awk -F= '$1=="ID"{print $NF}' /etc/os-release)"
|
|
case "${distroId,,}" in
|
|
*void*)
|
|
printf '%s\n' "Detected Void Linux..."
|
|
xbps-install -Sy make gcc xz elfutils elfutils-devel flex ncurses-devel openssl openssl-devel argp-standalone gcc-ada mpc libmpc-devel gmp-devel perl zstd bc pahole linux-lts-headers
|
|
return 0
|
|
;;
|
|
*debian*|*ubuntu*)
|
|
printf '%s\n' "Detected Debian-based Distribution..."
|
|
sudo apt-get install build-essential linux-source bc kmod cpio flex libncurses5-dev libelf-dev libssl-dev dwarves bison zstd
|
|
return 0
|
|
;;
|
|
*fedora*|*redhat*)
|
|
printf '%s\n' "Detected RHEL-based Distribution..."
|
|
sudo dnf install binutils /usr/include/{libelf.h,openssl/pkcs7.h} \
|
|
/usr/bin/{bc,bison,flex,gcc,git,openssl,make,perl,pahole,zstd}
|
|
return 0
|
|
;;
|
|
*)
|
|
printf '%s\n' "Unable to detect Operating System!" >&2
|
|
return 1
|
|
;;
|
|
esac
|
|
}
|
|
|
|
check_distro
|
|
|
|
# Staging w/ error handling
|
|
# Pull down Anthraxx linux-hardened upstream
|
|
if [[ ! -f /usr/src/"$KVER".tar.gz ]]; then
|
|
/usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/$KVER.tar.gz"
|
|
fi
|
|
|
|
if [[ ! -d /usr/src/linux-hardened-"$KVER" ]]; then
|
|
tar -xf "$KVER".tar.gz -C /usr/src/
|
|
fi
|
|
|
|
# Move to staging directory
|
|
cd /usr/src/linux-hardened-"$KVER"
|
|
|
|
# Pull down plague kconfig
|
|
read -rp 'Are you compiling this kernel for a physical machine (host) or virtual machine (VM)? [host/vm]: ' response
|
|
if [[ "${response,,}" = "vm" ]]
|
|
then
|
|
echo "Compiling a VM kernel"
|
|
wget https://0xacab.org/optout/plague-kernel/-/raw/main/virt_hardened.config -O .config
|
|
## virt_hardened.config is still a WIP
|
|
elif [[ "${response,,}" = "host" ]]
|
|
then
|
|
echo "Compiling a host kernel"
|
|
wget https://0xacab.org/optout/plague-kernel/-/raw/main/host_hardened.config -O .config
|
|
else
|
|
echo "Invalid input. Please choose either \"Host\" or \"VM\"."
|
|
exit 1
|
|
fi
|
|
|
|
# Prompt if baseline Plague kernel is desired
|
|
## If not, proceed to fingerprint device
|
|
read -p "Do you want create a custom kernel tailored to your hardware? (y/n): " response
|
|
response=$(echo $response | tr '[:upper:]' '[:lower:]')
|
|
if [[ $response == "y" ]]; then
|
|
echo "Tailoring kernel configuration to your hardware"
|
|
make localmodconfig
|
|
else
|
|
echo "Using baseline Plague kernel configuration"
|
|
fi
|
|
|
|
read -p "Do you want to open the kernel configuration editor? (y/n): " response
|
|
response=$(echo $response | tr '[:upper:]' '[:lower:]')
|
|
if [[ $response == "y" ]]; then
|
|
make menuconfig
|
|
else
|
|
echo "Proceeding to compile"
|
|
fi
|
|
|
|
# compile
|
|
make -j $(nproc --all)
|
|
make modules_install INSTALL_MOD_STRIP=1 install
|
|
|
|
function install_kernel() {
|
|
declare -r distroId="$(awk -F= '$1=="ID"{print $NF}' /etc/os-release)"
|
|
case "${distroId,,}" in
|
|
*void*)
|
|
cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-"$KVER"
|
|
dracut --kver "$KVER" --force
|
|
grub-mkconfig -o /boot/grub/grub.cfg
|
|
xbps-reconfigure -fa
|
|
/usr/bin/update-grub
|
|
return 0
|
|
;;
|
|
*debian*|*ubuntu*)
|
|
cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-"$KVER"
|
|
dracut --kver "$KVER" --force
|
|
update-grub2
|
|
return 0
|
|
;;
|
|
*fedora*|*redhat*)
|
|
command -v installkernel
|
|
return 0
|
|
;;
|
|
*)
|
|
printf '%s\n' "Unable to detect Operating System!" >&2
|
|
return 1
|
|
;;
|
|
esac
|
|
}
|
|
|
|
install_kernel
|
|
|
|
|
|
|
|
# Remove sysmap/signing keys
|
|
rm /usr/src/linux-hardened-"$KVER"/certs/signing_key*
|
|
rm /usr/src/linux-hardened-"$KVER"/System.map
|
|
|
|
|
|
echo "Congrats! Your custom kernel based on the PlagueOS kernel configuration has been installed."
|
|
read -p "Reboot now? (y/N): " response
|
|
response=$(echo $response | tr '[:upper:]' '[:lower:]')
|
|
if [[ $response == "y" ]]; then
|
|
reboot
|
|
else
|
|
echo "Exiting..."
|
|
fi |