plague-kernel/README.md

Install dependencies

• xbps-install -Sy make gcc xz elfutils elfutils-devel flex ncurses-devel openssl openssl-devel argp-standalone gcc-ada mpc libmpc-devel gmp-devel

Steps to create

• cd /usr/src/
• /usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/5.10.<latest_version>-hardened1.tar.gz"
• tar -xvf 5.10.<latest_version>-hardened1.tar.gz
• cd 5.10.<latest_version>-hardened1
• make oldconfig
• make menuconfig # (if any changes are required)
• make --jobs=4 # start compiling
• make modules_install # create /lib/modules/$kver
• cp ./arch/x86_64/boot/bzImage /boot/vmlinuz-5.10.<latest_version>-hardened1_1 && dracut --kver 5.10.<latest_version>-hardened1_1 --force
• grub-mkconfig -o /boot/grub/grub.cfg
• xbps-reconfigure -fa

Steps to import/configure release

• Built into PlagueOS installer

Troubleshooting:

• lsinitrd -v /boot/initramfs-5.10.<latest_version>-hardened1_1.img

Additional Resources:

• https://www.kernel.org/doc/html/v5.10/
• https://github.com/Whonix/hardened-kernel
• https://docs.clip-os.org/clipos/kernel.html
• https://github.com/anthraxx/linux-hardened
• https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
• https://notabug.org/anonymous-lestat/Void-Hardened-Kernel
• https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel

Trimming Efforts

• While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the core purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.

	PlagueOS (plague-kernel)	Whonix (LTS)
Size (compressed)	159.2 MB	285.6 MB

Current kconfig-hardened-check results

Successes

Option	Desired Value	Source	Reason	Result
CONFIG_BUG	y	defconfig	self_protection	OK
CONFIG_GCC_PLUGINS	y	defconfig	self_protection	OK
CONFIG_STACKPROTECTOR_STRONG	y	defconfig	self_protection	OK
CONFIG_STRICT_KERNEL_RWX	y	defconfig	self_protection	OK
CONFIG_STRICT_MODULE_RWX	y	defconfig	self_protection	OK
CONFIG_REFCOUNT_FULL	y	defconfig	self_protection	OK: version >= 5.5
CONFIG_IOMMU_SUPPORT	y	defconfig	self_protection	OK
CONFIG_RANDOMIZE_BASE	y	defconfig	self_protection	OK
CONFIG_THREAD_INFO_IN_TASK	y	defconfig	self_protection	OK
CONFIG_VMAP_STACK	y	defconfig	self_protection	OK
CONFIG_MICROCODE	y	defconfig	self_protection	OK
CONFIG_RETPOLINE	y	defconfig	self_protection	OK
CONFIG_X86_SMAP	y	defconfig	self_protection	OK
CONFIG_SYN_COOKIES	y	defconfig	self_protection	OK
CONFIG_PAGE_TABLE_ISOLATION	y	defconfig	self_protection	OK
CONFIG_RANDOMIZE_MEMORY	y	defconfig	self_protection	OK
CONFIG_INTEL_IOMMU	y	defconfig	self_protection	OK
CONFIG_AMD_IOMMU	y	defconfig	self_protection	OK
CONFIG_SECURITY_DMESG_RESTRICT	y	kspp	self_protection	OK
CONFIG_BUG_ON_DATA_CORRUPTION	y	kspp	self_protection	OK
CONFIG_DEBUG_WX	y	kspp	self_protection	OK
CONFIG_SCHED_STACK_END_CHECK	y	kspp	self_protection	OK
CONFIG_SLAB_FREELIST_HARDENED	y	kspp	self_protection	OK
CONFIG_SLAB_FREELIST_RANDOM	y	kspp	self_protection	OK
CONFIG_SHUFFLE_PAGE_ALLOCATOR	y	kspp	self_protection	OK
CONFIG_FORTIFY_SOURCE	y	kspp	self_protection	OK
CONFIG_DEBUG_LIST	y	kspp	self_protection	OK
CONFIG_DEBUG_SG	y	kspp	self_protection	OK
CONFIG_DEBUG_CREDENTIALS	y	kspp	self_protection	OK
CONFIG_DEBUG_NOTIFIERS	y	kspp	self_protection	OK
CONFIG_INIT_ON_ALLOC_DEFAULT_ON	y	kspp	self_protection	OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY	y	kspp	self_protection	OK
CONFIG_GCC_PLUGIN_RANDSTRUCT	y	kspp	self_protection	OK
CONFIG_HARDENED_USERCOPY	y	kspp	self_protection	OK
CONFIG_HARDENED_USERCOPY_FALLBACK	is not set	kspp	self_protection	OK
CONFIG_HARDENED_USERCOPY_PAGESPAN	is not set	kspp	self_protection	OK
CONFIG_MODULE_SIG	y	kspp	self_protection	OK
CONFIG_MODULE_SIG_ALL	y	kspp	self_protection	OK
CONFIG_MODULE_SIG_SHA512	y	kspp	self_protection	OK
CONFIG_MODULE_SIG_FORCE	y	kspp	self_protection	OK
CONFIG_INIT_STACK_ALL_ZERO	y	kspp	self_protection	OK: CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL "y"
CONFIG_INIT_ON_FREE_DEFAULT_ON	y	kspp	self_protection	OK
CONFIG_GCC_PLUGIN_STACKLEAK	y	kspp	self_protection	OK
CONFIG_DEFAULT_MMAP_MIN_ADDR	65536	kspp	self_protection	OK
CONFIG_DEBUG_VIRTUAL	y	clipos	self_protection	OK
CONFIG_EFI_DISABLE_PCI_DMA	y	clipos	self_protection	OK
CONFIG_SLAB_MERGE_DEFAULT	is not set	clipos	self_protection	OK
CONFIG_RANDOM_TRUST_BOOTLOADER	is not set	clipos	self_protection	OK
CONFIG_RANDOM_TRUST_CPU	is not set	clipos	self_protection	OK
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE	is not set	clipos	self_protection	OK
CONFIG_STACKLEAK_METRICS	is not set	clipos	self_protection	OK
CONFIG_STACKLEAK_RUNTIME_DISABLE	is not set	clipos	self_protection	OK
CONFIG_INTEL_IOMMU_DEFAULT_ON	y	clipos	self_protection	OK
CONFIG_INTEL_IOMMU_SVM	y	clipos	self_protection	OK
CONFIG_RESET_ATTACK_MITIGATION	y	my	self_protection	OK
CONFIG_AMD_IOMMU_V2	y	my	self_protection	OK
CONFIG_SECURITY	y	defconfig	security_policy	OK
CONFIG_SECURITY_YAMA	y	kspp	security_policy	OK
CONFIG_SECURITY_WRITABLE_HOOKS	is not set	my	security_policy	OK: not found
CONFIG_SECURITY_LOCKDOWN_LSM	y	clipos	security_policy	OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY	y	clipos	security_policy	OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY	y	clipos	security_policy	OK
CONFIG_SECURITY_SAFESETID	y	my	security_policy	OK
CONFIG_SECCOMP	y	defconfig	cut_attack_surface	OK
CONFIG_SECCOMP_FILTER	y	defconfig	cut_attack_surface	OK
CONFIG_STRICT_DEVMEM	y	defconfig	cut_attack_surface	OK: CONFIG_DEVMEM "is not set"
CONFIG_ACPI_CUSTOM_METHOD	is not set	kspp	cut_attack_surface	OK: not found
CONFIG_COMPAT_BRK	is not set	kspp	cut_attack_surface	OK
CONFIG_DEVKMEM	is not set	kspp	cut_attack_surface	OK
CONFIG_COMPAT_VDSO	is not set	kspp	cut_attack_surface	OK: not found
CONFIG_BINFMT_MISC	is not set	kspp	cut_attack_surface	OK
CONFIG_INET_DIAG	is not set	kspp	cut_attack_surface	OK
CONFIG_KEXEC	is not set	kspp	cut_attack_surface	OK
CONFIG_PROC_KCORE	is not set	kspp	cut_attack_surface	OK
CONFIG_LEGACY_PTYS	is not set	kspp	cut_attack_surface	OK
CONFIG_HIBERNATION	is not set	kspp	cut_attack_surface	OK
CONFIG_IA32_EMULATION	is not set	kspp	cut_attack_surface	OK
CONFIG_X86_X32	is not set	kspp	cut_attack_surface	OK
CONFIG_MODIFY_LDT_SYSCALL	is not set	kspp	cut_attack_surface	OK
CONFIG_OABI_COMPAT	is not set	kspp	cut_attack_surface	OK: not found
CONFIG_DEVMEM	is not set	kspp	cut_attack_surface	OK
CONFIG_IO_STRICT_DEVMEM	y	kspp	cut_attack_surface	OK: CONFIG_DEVMEM "is not set"
CONFIG_LEGACY_VSYSCALL_NONE	y	kspp	cut_attack_surface	OK
CONFIG_ZSMALLOC_STAT	is not set	grsecurity	cut_attack_surface	OK
CONFIG_PAGE_OWNER	is not set	grsecurity	cut_attack_surface	OK
CONFIG_DEBUG_KMEMLEAK	is not set	grsecurity	cut_attack_surface	OK
CONFIG_BINFMT_AOUT	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_KPROBE_EVENTS	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_UPROBE_EVENTS	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_GENERIC_TRACER	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_FUNCTION_TRACER	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_STACK_TRACER	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_HIST_TRIGGERS	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_BLK_DEV_IO_TRACE	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_PROC_VMCORE	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_PROC_PAGE_MONITOR	is not set	grsecurity	cut_attack_surface	OK
CONFIG_USELIB	is not set	grsecurity	cut_attack_surface	OK
CONFIG_CHECKPOINT_RESTORE	is not set	grsecurity	cut_attack_surface	OK
CONFIG_USERFAULTFD	is not set	grsecurity	cut_attack_surface	OK
CONFIG_HWPOISON_INJECT	is not set	grsecurity	cut_attack_surface	OK
CONFIG_MEM_SOFT_DIRTY	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_DEVPORT	is not set	grsecurity	cut_attack_surface	OK
CONFIG_DEBUG_FS	is not set	grsecurity	cut_attack_surface	OK
CONFIG_NOTIFIER_ERROR_INJECTION	is not set	grsecurity	cut_attack_surface	OK
CONFIG_FAIL_FUTEX	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_PUNIT_ATOM_DEBUG	is not set	grsecurity	cut_attack_surface	OK
CONFIG_ACPI_CONFIGFS	is not set	grsecurity	cut_attack_surface	OK
CONFIG_EDAC_DEBUG	is not set	grsecurity	cut_attack_surface	OK
CONFIG_DRM_I915_DEBUG	is not set	grsecurity	cut_attack_surface	OK
CONFIG_BCACHE_CLOSURES_DEBUG	is not set	grsecurity	cut_attack_surface	OK
CONFIG_DVB_C8SECTPFE	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_MTD_SLRAM	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_MTD_PHRAM	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_IO_URING	is not set	grsecurity	cut_attack_surface	OK
CONFIG_RSEQ	is not set	grsecurity	cut_attack_surface	OK
CONFIG_LATENCYTOP	is not set	grsecurity	cut_attack_surface	OK
CONFIG_KCOV	is not set	grsecurity	cut_attack_surface	OK
CONFIG_PROVIDE_OHCI1394_DMA_INIT	is not set	grsecurity	cut_attack_surface	OK
CONFIG_SUNRPC_DEBUG	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_PTDUMP_DEBUGFS	is not set	grsecurity	cut_attack_surface	OK: not found
CONFIG_DRM_LEGACY	is not set	maintainer	cut_attack_surface	OK
CONFIG_BLK_DEV_FD	is not set	maintainer	cut_attack_surface	OK
CONFIG_AIO	is not set	grapheneos	cut_attack_surface	OK
CONFIG_STAGING	is not set	clipos	cut_attack_surface	OK
CONFIG_KSM	is not set	clipos	cut_attack_surface	OK
CONFIG_KALLSYMS	is not set	clipos	cut_attack_surface	OK
CONFIG_X86_VSYSCALL_EMULATION	is not set	clipos	cut_attack_surface	OK
CONFIG_KEXEC_FILE	is not set	clipos	cut_attack_surface	OK
CONFIG_USER_NS	is not set	clipos	cut_attack_surface	OK
CONFIG_X86_MSR	is not set	clipos	cut_attack_surface	OK
CONFIG_X86_IOPL_IOPERM	is not set	clipos	cut_attack_surface	OK
CONFIG_ACPI_TABLE_UPGRADE	is not set	clipos	cut_attack_surface	OK
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS	is not set	clipos	cut_attack_surface	OK
CONFIG_LDISC_AUTOLOAD	is not set	clipos	cut_attack_surface	OK
CONFIG_X86_INTEL_TSX_MODE_OFF	y	clipos	cut_attack_surface	OK
CONFIG_EFI_TEST	is not set	lockdown	cut_attack_surface	OK
CONFIG_MMIOTRACE_TEST	is not set	lockdown	cut_attack_surface	OK: not found
CONFIG_KPROBES	is not set	lockdown	cut_attack_surface	OK
CONFIG_TRIM_UNUSED_KSYMS	y	my	cut_attack_surface	OK
CONFIG_MMIOTRACE	is not set	my	cut_attack_surface	OK: not found
CONFIG_LIVEPATCH	is not set	my	cut_attack_surface	OK: not found
CONFIG_IP_DCCP	is not set	my	cut_attack_surface	OK
CONFIG_FTRACE	is not set	my	cut_attack_surface	OK
CONFIG_VIDEO_VIVID	is not set	my	cut_attack_surface	OK: not found
CONFIG_INPUT_EVBUG	is not set	my	cut_attack_surface	OK
CONFIG_INTEGRITY	y	defconfig	userspace_hardening	OK
CONFIG_ARCH_MMAP_RND_BITS	32	clipos	userspace_hardening	OK
CONFIG_IP_SCTP	is not set	my	cut_attack_surface	OK

Fails

Option	Desired Value	Source	Reason	Result
CONFIG_SLUB_DEBUG	y	defconfig	self_protection	FAIL: "is not set"
CONFIG_X86_UMIP	y	defconfig	self_protection	FAIL: "is not set"
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT	y	kspp	self_protection	FAIL: not found
CONFIG_UBSAN_BOUNDS	y	maintainer	self_protection	FAIL: not found
CONFIG_UBSAN_SANITIZE_ALL	y	maintainer	self_protection	FAIL: CONFIG_UBSAN_BOUNDS not "y"
CONFIG_UBSAN_TRAP	y	maintainer	self_protection	FAIL: CONFIG_UBSAN_BOUNDS not "y"
CONFIG_STATIC_USERMODEHELPER	y	clipos	self_protection	FAIL: "is not set"
CONFIG_SECURITY_LOADPIN	y	my	security_policy	FAIL: "is not set"
CONFIG_SECURITY_LOADPIN_ENFORCE	y	my	security_policy	FAIL: CONFIG_SECURITY_LOADPIN not "y"
CONFIG_MODULES	is not set	kspp	cut_attack_surface	FAIL: "y"
CONFIG_KCMP	is not set	grsecurity	cut_attack_surface	FAIL: "y"
CONFIG_FB	is not set	maintainer	cut_attack_surface	FAIL: "y"
CONFIG_VT	is not set	maintainer	cut_attack_surface	FAIL: "y"
CONFIG_MAGIC_SYSRQ	is not set	clipos	cut_attack_surface	FAIL: "y"
CONFIG_X86_CPUID	is not set	clipos	cut_attack_surface	FAIL: "m"
CONFIG_BPF_SYSCALL	is not set	lockdown	cut_attack_surface	FAIL: "y"

Totals: 'OK' - 148 / 'FAIL' - 16