Steps to create

1. Set the KVER variable to which version you want to obtain from Anthraxx's linux-hardened repository
2. Run bash kernel_build.sh

Steps to import/configure release

• Built into PlagueOS installer

Troubleshooting:

• lsinitrd -v /boot/initramfs-5.10."$KVER"-hardened1_1.img

Additional Resources:

• https://www.kernel.org/doc/html/v5.10/
• https://github.com/Whonix/hardened-kernel
• https://docs.clip-os.org/clipos/kernel.html
• https://github.com/anthraxx/linux-hardened
• https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
• https://notabug.org/anonymous-lestat/Void-Hardened-Kernel
• https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel

Trimming Efforts

• While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the core purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.

	PlagueOS (plague-kernel)	Whonix (LTS)
Size (compressed)	159.2 MB	285.6 MB

Current kconfig-hardened-check results

Successes

Option	Desired Value	Source	Reason	Result
CONFIG_BUG	kconfig	y	defconfig	self_protection
CONFIG_THREAD_INFO_IN_TASK	kconfig	y	defconfig	self_protection
CONFIG_IOMMU_SUPPORT	kconfig	y	defconfig	self_protection
CONFIG_STACKPROTECTOR	kconfig	y	defconfig	self_protection
CONFIG_STACKPROTECTOR_STRONG	kconfig	y	defconfig	self_protection
CONFIG_STRICT_KERNEL_RWX	kconfig	y	defconfig	self_protection
CONFIG_STRICT_MODULE_RWX	kconfig	y	defconfig	self_protection
CONFIG_REFCOUNT_FULL	kconfig	y	defconfig	self_protection
CONFIG_INIT_STACK_ALL_ZERO	kconfig	y	defconfig	self_protection
CONFIG_RANDOMIZE_BASE	kconfig	y	defconfig	self_protection
CONFIG_VMAP_STACK	kconfig	y	defconfig	self_protection
CONFIG_SPECULATION_MITIGATIONS	kconfig	y	defconfig	self_protection
CONFIG_DEBUG_WX	kconfig	y	defconfig	self_protection
CONFIG_WERROR	kconfig	y	defconfig	self_protection
CONFIG_X86_MCE	kconfig	y	defconfig	self_protection
CONFIG_X86_MCE_INTEL	kconfig	y	defconfig	self_protection
CONFIG_X86_MCE_AMD	kconfig	y	defconfig	self_protection
CONFIG_RETPOLINE	kconfig	y	defconfig	self_protection
CONFIG_SYN_COOKIES	kconfig	y	defconfig	self_protection
CONFIG_MICROCODE	kconfig	y	defconfig	self_protection
CONFIG_MICROCODE_INTEL	kconfig	y	defconfig	self_protection
CONFIG_MICROCODE_AMD	kconfig	y	defconfig	self_protection
CONFIG_X86_SMAP	kconfig	y	defconfig	self_protection
CONFIG_X86_UMIP	kconfig	y	defconfig	self_protection
CONFIG_PAGE_TABLE_ISOLATION	kconfig	y	defconfig	self_protection
CONFIG_RANDOMIZE_MEMORY	kconfig	y	defconfig	self_protection
CONFIG_X86_KERNEL_IBT	kconfig	y	defconfig	self_protection
CONFIG_CPU_SRSO	kconfig	y	defconfig	self_protection
CONFIG_INTEL_IOMMU	kconfig	y	defconfig	self_protection
CONFIG_AMD_IOMMU	kconfig	y	defconfig	self_protection
CONFIG_BUG_ON_DATA_CORRUPTION	kconfig	y	kspp	self_protection
CONFIG_SLAB_FREELIST_HARDENED	kconfig	y	kspp	self_protection
CONFIG_SLAB_FREELIST_RANDOM	kconfig	y	kspp	self_protection
CONFIG_SHUFFLE_PAGE_ALLOCATOR	kconfig	y	kspp	self_protection
CONFIG_FORTIFY_SOURCE	kconfig	y	kspp	self_protection
CONFIG_DEBUG_LIST	kconfig	y	kspp	self_protection
CONFIG_INIT_ON_ALLOC_DEFAULT_ON	kconfig	y	kspp	self_protection
CONFIG_SCHED_CORE	kconfig	y	kspp	self_protection
CONFIG_SCHED_STACK_END_CHECK	kconfig	y	kspp	self_protection
CONFIG_KFENCE	kconfig	y	kspp	self_protection
CONFIG_KFENCE_SAMPLE_INTERVAL	kconfig	is not off	my	self_protection
CONFIG_HARDENED_USERCOPY	kconfig	y	kspp	self_protection
CONFIG_HARDENED_USERCOPY_FALLBACK	kconfig	is not set	kspp	self_protection
CONFIG_HARDENED_USERCOPY_PAGESPAN	kconfig	is not set	kspp	self_protection
CONFIG_MODULE_SIG	kconfig	y	kspp	self_protection
CONFIG_MODULE_SIG_ALL	kconfig	y	kspp	self_protection
CONFIG_MODULE_SIG_SHA512	kconfig	y	kspp	self_protection
CONFIG_MODULE_SIG_FORCE	kconfig	y	kspp	self_protection
CONFIG_INIT_ON_FREE_DEFAULT_ON	kconfig	y	kspp	self_protection
CONFIG_EFI_DISABLE_PCI_DMA	kconfig	y	kspp	self_protection
CONFIG_RESET_ATTACK_MITIGATION	kconfig	y	kspp	self_protection
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT	kconfig	y	kspp	self_protection
CONFIG_HW_RANDOM_TPM	kconfig	y	kspp	self_protection
CONFIG_DEFAULT_MMAP_MIN_ADDR	kconfig	65536	kspp	self_protection
CONFIG_IOMMU_DEFAULT_DMA_STRICT	kconfig	y	kspp	self_protection
CONFIG_IOMMU_DEFAULT_PASSTHROUGH	kconfig	is not set	kspp	self_protection
CONFIG_INTEL_IOMMU_DEFAULT_ON	kconfig	y	kspp	self_protection
CONFIG_SLS	kconfig	y	kspp	self_protection
CONFIG_INTEL_IOMMU_SVM	kconfig	y	kspp	self_protection
CONFIG_AMD_IOMMU_V2	kconfig	y	kspp	self_protection
CONFIG_SLAB_MERGE_DEFAULT	kconfig	is not set	clipos	self_protection
CONFIG_LIST_HARDENED	kconfig	y	my	self_protection
CONFIG_RANDOM_KMALLOC_CACHES	kconfig	y	my	self_protection
CONFIG_SECURITY	kconfig	y	defconfig	security_policy
CONFIG_SECURITY_YAMA	kconfig	y	kspp	security_policy
CONFIG_SECURITY_LANDLOCK	kconfig	y	kspp	security_policy
CONFIG_SECURITY_SELINUX_DISABLE	kconfig	is not set	kspp	security_policy
CONFIG_SECURITY_LOCKDOWN_LSM	kconfig	y	kspp	security_policy
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY	kconfig	y	kspp	security_policy
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY	kconfig	y	kspp	security_policy
CONFIG_SECURITY_WRITABLE_HOOKS	kconfig	is not set	kspp	security_policy
CONFIG_SECURITY_SELINUX_DEBUG	kconfig	is not set	my	security_policy
CONFIG_SECURITY_SELINUX	kconfig	y	my	security_policy
CONFIG_SECCOMP	kconfig	y	defconfig	cut_attack_surface
CONFIG_SECCOMP_FILTER	kconfig	y	defconfig	cut_attack_surface
CONFIG_BPF_UNPRIV_DEFAULT_OFF	kconfig	y	defconfig	cut_attack_surface
CONFIG_STRICT_DEVMEM	kconfig	y	defconfig	cut_attack_surface
CONFIG_X86_INTEL_TSX_MODE_OFF	kconfig	y	defconfig	cut_attack_surface
CONFIG_SECURITY_DMESG_RESTRICT	kconfig	y	kspp	cut_attack_surface
CONFIG_ACPI_CUSTOM_METHOD	kconfig	is not set	kspp	cut_attack_surface
CONFIG_COMPAT_BRK	kconfig	is not set	kspp	cut_attack_surface
CONFIG_DEVKMEM	kconfig	is not set	kspp	cut_attack_surface
CONFIG_INET_DIAG	kconfig	is not set	kspp	cut_attack_surface
CONFIG_KEXEC	kconfig	is not set	kspp	cut_attack_surface
CONFIG_PROC_KCORE	kconfig	is not set	kspp	cut_attack_surface
CONFIG_LEGACY_PTYS	kconfig	is not set	kspp	cut_attack_surface
CONFIG_HIBERNATION	kconfig	is not set	kspp	cut_attack_surface
CONFIG_COMPAT	kconfig	is not set	kspp	cut_attack_surface
CONFIG_IA32_EMULATION	kconfig	is not set	kspp	cut_attack_surface
CONFIG_X86_X32	kconfig	is not set	kspp	cut_attack_surface
CONFIG_X86_X32_ABI	kconfig	is not set	kspp	cut_attack_surface
CONFIG_MODIFY_LDT_SYSCALL	kconfig	is not set	kspp	cut_attack_surface
CONFIG_OABI_COMPAT	kconfig	is not set	kspp	cut_attack_surface
CONFIG_X86_MSR	kconfig	is not set	kspp	cut_attack_surface
CONFIG_LEGACY_TIOCSTI	kconfig	is not set	kspp	cut_attack_surface
CONFIG_DEVMEM	kconfig	is not set	kspp	cut_attack_surface
CONFIG_IO_STRICT_DEVMEM	kconfig	y	kspp	cut_attack_surface
CONFIG_LDISC_AUTOLOAD	kconfig	is not set	kspp	cut_attack_surface
CONFIG_COMPAT_VDSO	kconfig	is not set	kspp	cut_attack_surface
CONFIG_X86_VSYSCALL_EMULATION	kconfig	is not set	kspp	cut_attack_surface
CONFIG_ZSMALLOC_STAT	kconfig	is not set	grsec	cut_attack_surface
CONFIG_PAGE_OWNER	kconfig	is not set	grsec	cut_attack_surface
CONFIG_DEBUG_KMEMLEAK	kconfig	is not set	grsec	cut_attack_surface
CONFIG_BINFMT_AOUT	kconfig	is not set	grsec	cut_attack_surface
CONFIG_KPROBE_EVENTS	kconfig	is not set	grsec	cut_attack_surface
CONFIG_UPROBE_EVENTS	kconfig	is not set	grsec	cut_attack_surface
CONFIG_GENERIC_TRACER	kconfig	is not set	grsec	cut_attack_surface
CONFIG_FUNCTION_TRACER	kconfig	is not set	grsec	cut_attack_surface
CONFIG_STACK_TRACER	kconfig	is not set	grsec	cut_attack_surface
CONFIG_HIST_TRIGGERS	kconfig	is not set	grsec	cut_attack_surface
CONFIG_BLK_DEV_IO_TRACE	kconfig	is not set	grsec	cut_attack_surface
CONFIG_PROC_VMCORE	kconfig	is not set	grsec	cut_attack_surface
CONFIG_PROC_PAGE_MONITOR	kconfig	is not set	grsec	cut_attack_surface
CONFIG_USELIB	kconfig	is not set	grsec	cut_attack_surface
CONFIG_CHECKPOINT_RESTORE	kconfig	is not set	grsec	cut_attack_surface
CONFIG_USERFAULTFD	kconfig	is not set	grsec	cut_attack_surface
CONFIG_HWPOISON_INJECT	kconfig	is not set	grsec	cut_attack_surface
CONFIG_MEM_SOFT_DIRTY	kconfig	is not set	grsec	cut_attack_surface
CONFIG_DEVPORT	kconfig	is not set	grsec	cut_attack_surface
CONFIG_DEBUG_FS	kconfig	is not set	grsec	cut_attack_surface
CONFIG_NOTIFIER_ERROR_INJECTION	kconfig	is not set	grsec	cut_attack_surface
CONFIG_FAIL_FUTEX	kconfig	is not set	grsec	cut_attack_surface
CONFIG_PUNIT_ATOM_DEBUG	kconfig	is not set	grsec	cut_attack_surface
CONFIG_ACPI_CONFIGFS	kconfig	is not set	grsec	cut_attack_surface
CONFIG_EDAC_DEBUG	kconfig	is not set	grsec	cut_attack_surface
CONFIG_DRM_I915_DEBUG	kconfig	is not set	grsec	cut_attack_surface
CONFIG_BCACHE_CLOSURES_DEBUG	kconfig	is not set	grsec	cut_attack_surface
CONFIG_DVB_C8SECTPFE	kconfig	is not set	grsec	cut_attack_surface
CONFIG_MTD_SLRAM	kconfig	is not set	grsec	cut_attack_surface
CONFIG_MTD_PHRAM	kconfig	is not set	grsec	cut_attack_surface
CONFIG_IO_URING	kconfig	is not set	grsec	cut_attack_surface
CONFIG_RSEQ	kconfig	is not set	grsec	cut_attack_surface
CONFIG_LATENCYTOP	kconfig	is not set	grsec	cut_attack_surface
CONFIG_KCOV	kconfig	is not set	grsec	cut_attack_surface
CONFIG_PROVIDE_OHCI1394_DMA_INIT	kconfig	is not set	grsec	cut_attack_surface
CONFIG_SUNRPC_DEBUG	kconfig	is not set	grsec	cut_attack_surface
CONFIG_PTDUMP_DEBUGFS	kconfig	is not set	grsec	cut_attack_surface
CONFIG_DRM_LEGACY	kconfig	is not set	maintainer	cut_attack_surface
CONFIG_BLK_DEV_FD	kconfig	is not set	maintainer	cut_attack_surface
CONFIG_BLK_DEV_FD_RAWCMD	kconfig	is not set	maintainer	cut_attack_surface
CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT	kconfig	is not set	maintainer	cut_attack_surface
CONFIG_STAGING	kconfig	is not set	clipos	cut_attack_surface
CONFIG_KSM	kconfig	is not set	clipos	cut_attack_surface
CONFIG_KALLSYMS	kconfig	is not set	clipos	cut_attack_surface
CONFIG_MAGIC_SYSRQ	kconfig	is not set	clipos	cut_attack_surface
CONFIG_KEXEC_FILE	kconfig	is not set	clipos	cut_attack_surface
CONFIG_X86_CPUID	kconfig	is not set	clipos	cut_attack_surface
CONFIG_X86_IOPL_IOPERM	kconfig	is not set	clipos	cut_attack_surface
CONFIG_ACPI_TABLE_UPGRADE	kconfig	is not set	clipos	cut_attack_surface
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS	kconfig	is not set	clipos	cut_attack_surface
CONFIG_AIO	kconfig	is not set	clipos	cut_attack_surface
CONFIG_EFI_TEST	kconfig	is not set	lockdown	cut_attack_surface
CONFIG_MMIOTRACE_TEST	kconfig	is not set	lockdown	cut_attack_surface
CONFIG_KPROBES	kconfig	is not set	lockdown	cut_attack_surface
CONFIG_MMIOTRACE	kconfig	is not set	my	cut_attack_surface
CONFIG_LIVEPATCH	kconfig	is not set	my	cut_attack_surface
CONFIG_IP_DCCP	kconfig	is not set	my	cut_attack_surface
CONFIG_IP_SCTP	kconfig	is not set	my	cut_attack_surface
CONFIG_FTRACE	kconfig	is not set	my	cut_attack_surface
CONFIG_VIDEO_VIVID	kconfig	is not set	my	cut_attack_surface
CONFIG_INPUT_EVBUG	kconfig	is not set	my	cut_attack_surface
CONFIG_KGDB	kconfig	is not set	my	cut_attack_surface
CONFIG_CORESIGHT	kconfig	is not set	my	cut_attack_surface
CONFIG_XFS_SUPPORT_V4	kconfig	is not set	my	cut_attack_surface
CONFIG_TRIM_UNUSED_KSYMS	kconfig	y	my	cut_attack_surface
CONFIG_MODULE_FORCE_LOAD	kconfig	is not set	my	cut_attack_surface
CONFIG_COREDUMP	kconfig	is not set	clipos	harden_userspace
CONFIG_ARCH_MMAP_RND_BITS	kconfig	32	my	harden_userspace

Fails

CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | FAIL: "is not set" CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: is not found CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y" CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y" CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y" CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGINS is not "y" CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: is not found CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG is not "y" CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y" CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y" CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m" CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: is not found CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"

Totals: 'OK' - 148 / 'FAIL' - 16