Steps to create
- Set the KVER variable to which version you want to obtain from Anthraxx's linux-hardened repository
- Run
bash kernel_build.sh
Steps to import/configure release
- Built into PlagueOS installer
Troubleshooting:
lsinitrd -v /boot/initramfs-5.10."$KVER"-hardened1_1.img
Additional Resources:
- https://www.kernel.org/doc/html/v5.10/
- https://github.com/Whonix/hardened-kernel
- https://docs.clip-os.org/clipos/kernel.html
- https://github.com/anthraxx/linux-hardened
- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
- https://notabug.org/anonymous-lestat/Void-Hardened-Kernel
- https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel
Trimming Efforts
- While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the core purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.
| PlagueOS (plague-kernel) | Whonix (LTS) | |
|---|---|---|
| Size (compressed) | 159.2 MB | 285.6 MB |
Current kconfig-hardened-check results
Successes
| Option | Desired Value | Source | Reason | Result |
|---|---|---|---|---|
| CONFIG_BUG | kconfig | y | defconfig | self_protection |
| CONFIG_THREAD_INFO_IN_TASK | kconfig | y | defconfig | self_protection |
| CONFIG_IOMMU_SUPPORT | kconfig | y | defconfig | self_protection |
| CONFIG_STACKPROTECTOR | kconfig | y | defconfig | self_protection |
| CONFIG_STACKPROTECTOR_STRONG | kconfig | y | defconfig | self_protection |
| CONFIG_STRICT_KERNEL_RWX | kconfig | y | defconfig | self_protection |
| CONFIG_STRICT_MODULE_RWX | kconfig | y | defconfig | self_protection |
| CONFIG_REFCOUNT_FULL | kconfig | y | defconfig | self_protection |
| CONFIG_INIT_STACK_ALL_ZERO | kconfig | y | defconfig | self_protection |
| CONFIG_RANDOMIZE_BASE | kconfig | y | defconfig | self_protection |
| CONFIG_VMAP_STACK | kconfig | y | defconfig | self_protection |
| CONFIG_SPECULATION_MITIGATIONS | kconfig | y | defconfig | self_protection |
| CONFIG_DEBUG_WX | kconfig | y | defconfig | self_protection |
| CONFIG_WERROR | kconfig | y | defconfig | self_protection |
| CONFIG_X86_MCE | kconfig | y | defconfig | self_protection |
| CONFIG_X86_MCE_INTEL | kconfig | y | defconfig | self_protection |
| CONFIG_X86_MCE_AMD | kconfig | y | defconfig | self_protection |
| CONFIG_RETPOLINE | kconfig | y | defconfig | self_protection |
| CONFIG_SYN_COOKIES | kconfig | y | defconfig | self_protection |
| CONFIG_MICROCODE | kconfig | y | defconfig | self_protection |
| CONFIG_MICROCODE_INTEL | kconfig | y | defconfig | self_protection |
| CONFIG_MICROCODE_AMD | kconfig | y | defconfig | self_protection |
| CONFIG_X86_SMAP | kconfig | y | defconfig | self_protection |
| CONFIG_X86_UMIP | kconfig | y | defconfig | self_protection |
| CONFIG_PAGE_TABLE_ISOLATION | kconfig | y | defconfig | self_protection |
| CONFIG_RANDOMIZE_MEMORY | kconfig | y | defconfig | self_protection |
| CONFIG_X86_KERNEL_IBT | kconfig | y | defconfig | self_protection |
| CONFIG_CPU_SRSO | kconfig | y | defconfig | self_protection |
| CONFIG_INTEL_IOMMU | kconfig | y | defconfig | self_protection |
| CONFIG_AMD_IOMMU | kconfig | y | defconfig | self_protection |
| CONFIG_BUG_ON_DATA_CORRUPTION | kconfig | y | kspp | self_protection |
| CONFIG_SLAB_FREELIST_HARDENED | kconfig | y | kspp | self_protection |
| CONFIG_SLAB_FREELIST_RANDOM | kconfig | y | kspp | self_protection |
| CONFIG_SHUFFLE_PAGE_ALLOCATOR | kconfig | y | kspp | self_protection |
| CONFIG_FORTIFY_SOURCE | kconfig | y | kspp | self_protection |
| CONFIG_DEBUG_LIST | kconfig | y | kspp | self_protection |
| CONFIG_INIT_ON_ALLOC_DEFAULT_ON | kconfig | y | kspp | self_protection |
| CONFIG_SCHED_CORE | kconfig | y | kspp | self_protection |
| CONFIG_SCHED_STACK_END_CHECK | kconfig | y | kspp | self_protection |
| CONFIG_KFENCE | kconfig | y | kspp | self_protection |
| CONFIG_KFENCE_SAMPLE_INTERVAL | kconfig | is not off | my | self_protection |
| CONFIG_HARDENED_USERCOPY | kconfig | y | kspp | self_protection |
| CONFIG_HARDENED_USERCOPY_FALLBACK | kconfig | is not set | kspp | self_protection |
| CONFIG_HARDENED_USERCOPY_PAGESPAN | kconfig | is not set | kspp | self_protection |
| CONFIG_MODULE_SIG | kconfig | y | kspp | self_protection |
| CONFIG_MODULE_SIG_ALL | kconfig | y | kspp | self_protection |
| CONFIG_MODULE_SIG_SHA512 | kconfig | y | kspp | self_protection |
| CONFIG_MODULE_SIG_FORCE | kconfig | y | kspp | self_protection |
| CONFIG_INIT_ON_FREE_DEFAULT_ON | kconfig | y | kspp | self_protection |
| CONFIG_EFI_DISABLE_PCI_DMA | kconfig | y | kspp | self_protection |
| CONFIG_RESET_ATTACK_MITIGATION | kconfig | y | kspp | self_protection |
| CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | kconfig | y | kspp | self_protection |
| CONFIG_HW_RANDOM_TPM | kconfig | y | kspp | self_protection |
| CONFIG_DEFAULT_MMAP_MIN_ADDR | kconfig | 65536 | kspp | self_protection |
| CONFIG_IOMMU_DEFAULT_DMA_STRICT | kconfig | y | kspp | self_protection |
| CONFIG_IOMMU_DEFAULT_PASSTHROUGH | kconfig | is not set | kspp | self_protection |
| CONFIG_INTEL_IOMMU_DEFAULT_ON | kconfig | y | kspp | self_protection |
| CONFIG_SLS | kconfig | y | kspp | self_protection |
| CONFIG_INTEL_IOMMU_SVM | kconfig | y | kspp | self_protection |
| CONFIG_AMD_IOMMU_V2 | kconfig | y | kspp | self_protection |
| CONFIG_SLAB_MERGE_DEFAULT | kconfig | is not set | clipos | self_protection |
| CONFIG_LIST_HARDENED | kconfig | y | my | self_protection |
| CONFIG_RANDOM_KMALLOC_CACHES | kconfig | y | my | self_protection |
| CONFIG_SECURITY | kconfig | y | defconfig | security_policy |
| CONFIG_SECURITY_YAMA | kconfig | y | kspp | security_policy |
| CONFIG_SECURITY_LANDLOCK | kconfig | y | kspp | security_policy |
| CONFIG_SECURITY_SELINUX_DISABLE | kconfig | is not set | kspp | security_policy |
| CONFIG_SECURITY_LOCKDOWN_LSM | kconfig | y | kspp | security_policy |
| CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | kconfig | y | kspp | security_policy |
| CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY | kconfig | y | kspp | security_policy |
| CONFIG_SECURITY_WRITABLE_HOOKS | kconfig | is not set | kspp | security_policy |
| CONFIG_SECURITY_SELINUX_DEBUG | kconfig | is not set | my | security_policy |
| CONFIG_SECURITY_SELINUX | kconfig | y | my | security_policy |
| CONFIG_SECCOMP | kconfig | y | defconfig | cut_attack_surface |
| CONFIG_SECCOMP_FILTER | kconfig | y | defconfig | cut_attack_surface |
| CONFIG_BPF_UNPRIV_DEFAULT_OFF | kconfig | y | defconfig | cut_attack_surface |
| CONFIG_STRICT_DEVMEM | kconfig | y | defconfig | cut_attack_surface |
| CONFIG_X86_INTEL_TSX_MODE_OFF | kconfig | y | defconfig | cut_attack_surface |
| CONFIG_SECURITY_DMESG_RESTRICT | kconfig | y | kspp | cut_attack_surface |
| CONFIG_ACPI_CUSTOM_METHOD | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_COMPAT_BRK | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_DEVKMEM | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_INET_DIAG | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_KEXEC | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_PROC_KCORE | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_LEGACY_PTYS | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_HIBERNATION | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_COMPAT | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_IA32_EMULATION | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_X86_X32 | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_X86_X32_ABI | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_MODIFY_LDT_SYSCALL | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_OABI_COMPAT | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_X86_MSR | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_LEGACY_TIOCSTI | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_DEVMEM | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_IO_STRICT_DEVMEM | kconfig | y | kspp | cut_attack_surface |
| CONFIG_LDISC_AUTOLOAD | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_COMPAT_VDSO | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_X86_VSYSCALL_EMULATION | kconfig | is not set | kspp | cut_attack_surface |
| CONFIG_ZSMALLOC_STAT | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_PAGE_OWNER | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_DEBUG_KMEMLEAK | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_BINFMT_AOUT | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_KPROBE_EVENTS | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_UPROBE_EVENTS | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_GENERIC_TRACER | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_FUNCTION_TRACER | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_STACK_TRACER | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_HIST_TRIGGERS | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_BLK_DEV_IO_TRACE | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_PROC_VMCORE | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_PROC_PAGE_MONITOR | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_USELIB | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_CHECKPOINT_RESTORE | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_USERFAULTFD | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_HWPOISON_INJECT | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_MEM_SOFT_DIRTY | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_DEVPORT | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_DEBUG_FS | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_NOTIFIER_ERROR_INJECTION | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_FAIL_FUTEX | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_PUNIT_ATOM_DEBUG | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_ACPI_CONFIGFS | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_EDAC_DEBUG | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_DRM_I915_DEBUG | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_BCACHE_CLOSURES_DEBUG | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_DVB_C8SECTPFE | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_MTD_SLRAM | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_MTD_PHRAM | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_IO_URING | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_RSEQ | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_LATENCYTOP | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_KCOV | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_PROVIDE_OHCI1394_DMA_INIT | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_SUNRPC_DEBUG | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_PTDUMP_DEBUGFS | kconfig | is not set | grsec | cut_attack_surface |
| CONFIG_DRM_LEGACY | kconfig | is not set | maintainer | cut_attack_surface |
| CONFIG_BLK_DEV_FD | kconfig | is not set | maintainer | cut_attack_surface |
| CONFIG_BLK_DEV_FD_RAWCMD | kconfig | is not set | maintainer | cut_attack_surface |
| CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT | kconfig | is not set | maintainer | cut_attack_surface |
| CONFIG_STAGING | kconfig | is not set | clipos | cut_attack_surface |
| CONFIG_KSM | kconfig | is not set | clipos | cut_attack_surface |
| CONFIG_KALLSYMS | kconfig | is not set | clipos | cut_attack_surface |
| CONFIG_MAGIC_SYSRQ | kconfig | is not set | clipos | cut_attack_surface |
| CONFIG_KEXEC_FILE | kconfig | is not set | clipos | cut_attack_surface |
| CONFIG_X86_CPUID | kconfig | is not set | clipos | cut_attack_surface |
| CONFIG_X86_IOPL_IOPERM | kconfig | is not set | clipos | cut_attack_surface |
| CONFIG_ACPI_TABLE_UPGRADE | kconfig | is not set | clipos | cut_attack_surface |
| CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | kconfig | is not set | clipos | cut_attack_surface |
| CONFIG_AIO | kconfig | is not set | clipos | cut_attack_surface |
| CONFIG_EFI_TEST | kconfig | is not set | lockdown | cut_attack_surface |
| CONFIG_MMIOTRACE_TEST | kconfig | is not set | lockdown | cut_attack_surface |
| CONFIG_KPROBES | kconfig | is not set | lockdown | cut_attack_surface |
| CONFIG_MMIOTRACE | kconfig | is not set | my | cut_attack_surface |
| CONFIG_LIVEPATCH | kconfig | is not set | my | cut_attack_surface |
| CONFIG_IP_DCCP | kconfig | is not set | my | cut_attack_surface |
| CONFIG_IP_SCTP | kconfig | is not set | my | cut_attack_surface |
| CONFIG_FTRACE | kconfig | is not set | my | cut_attack_surface |
| CONFIG_VIDEO_VIVID | kconfig | is not set | my | cut_attack_surface |
| CONFIG_INPUT_EVBUG | kconfig | is not set | my | cut_attack_surface |
| CONFIG_KGDB | kconfig | is not set | my | cut_attack_surface |
| CONFIG_CORESIGHT | kconfig | is not set | my | cut_attack_surface |
| CONFIG_XFS_SUPPORT_V4 | kconfig | is not set | my | cut_attack_surface |
| CONFIG_TRIM_UNUSED_KSYMS | kconfig | y | my | cut_attack_surface |
| CONFIG_MODULE_FORCE_LOAD | kconfig | is not set | my | cut_attack_surface |
| CONFIG_COREDUMP | kconfig | is not set | clipos | harden_userspace |
| CONFIG_ARCH_MMAP_RND_BITS | kconfig | 32 | my | harden_userspace |
Fails
CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | FAIL: "is not set" CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: is not found CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y" CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y" CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y" CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG is not "y" CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y" CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y" CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m" CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
Totals: 'OK' - 148 / 'FAIL' - 16