Git-Mirrors/plague-kernel
1
0
Fork 0
mirror of https://0xacab.org/optout/plague-kernel.git synced 2025-12-27 14:24:35 -05:00
Code Issues Projects Releases Packages Wiki Activity
No description
32 commits 1 branch 0 tags 573 KiB
Find a file
optout d2db61fc7f
Distro-agnostic self-compilation script added | linux_virt_hardened config added (works with Whonix / Kicksecure) | Phased out 5.10 config
2024-03-01 17:06:58 +00:00
6.6.13-hardened1.config Build script fix to KVER standard variable | additional trimming & general config tweaks 2024-02-01 14:59:50 +00:00
6.6.18-hardened1.config KVER update / addition of mistakenly removed iwlwifi module 2024-03-01 04:50:23 +00:00
fedora_build.sh KVER config update - removal of 5.15 config 2024-02-27 16:04:17 +00:00
linux_virt_hardened.config Distro-agnostic self-compilation script added | linux_virt_hardened config added (works with Whonix / Kicksecure) | Phased out 5.10 config 2024-03-01 17:06:58 +00:00
README.md KVER config update - 6.6.18-hardened1 2024-02-27 15:35:05 +00:00
self_compilation.sh Distro-agnostic self-compilation script added | linux_virt_hardened config added (works with Whonix / Kicksecure) | Phased out 5.10 config 2024-03-01 17:06:58 +00:00
void_build.sh KVER config selection 2024-02-12 18:24:43 +00:00

README.md

Steps to create

  1. Set the KVER variable to which version you want to obtain from Anthraxx's linux-hardened repository
  2. Run bash void_build.sh if running Void Linux OR bash fedora_build.sh if running Fedora

Additional Resources:

Trimming Efforts

  • While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.
Plague TAILS Whonix Vanilla
Size (/lib/modules/) 31.0 MB 89.0 MB 89.0 MB 126.0 MB
Size (vmlinuz) 8.0 MB 7.8 MB 7.8 MB 14.0 MB
No. of modules 1409 4039 4044 4402

Current kconfig-hardened-check results

Successes

Option Desired Value Source Reason Result
CONFIG_BUG y defconfig self_protection OK
CONFIG_THREAD_INFO_IN_TASK y defconfig self_protection OK
CONFIG_IOMMU_SUPPORT y defconfig self_protection OK
CONFIG_STACKPROTECTOR y defconfig self_protection OK
CONFIG_STACKPROTECTOR_STRONG y defconfig self_protection OK
CONFIG_STRICT_KERNEL_RWX y defconfig self_protection OK
CONFIG_STRICT_MODULE_RWX y defconfig self_protection OK
CONFIG_REFCOUNT_FULL y defconfig self_protection OK: version >= 5.5
CONFIG_INIT_STACK_ALL_ZERO y defconfig self_protection OK
CONFIG_RANDOMIZE_BASE y defconfig self_protection OK
CONFIG_VMAP_STACK y defconfig self_protection OK
CONFIG_SPECULATION_MITIGATIONS y defconfig self_protection OK
CONFIG_DEBUG_WX y defconfig self_protection OK
CONFIG_WERROR y defconfig self_protection OK
CONFIG_X86_MCE y defconfig self_protection OK
CONFIG_X86_MCE_INTEL y defconfig self_protection OK
CONFIG_X86_MCE_AMD y defconfig self_protection OK
CONFIG_RETPOLINE y defconfig self_protection OK
CONFIG_SYN_COOKIES y defconfig self_protection OK
CONFIG_MICROCODE y defconfig self_protection OK
CONFIG_MICROCODE_INTEL y defconfig self_protection OK: CONFIG_MICROCODE is "y"
CONFIG_MICROCODE_AMD y defconfig self_protection OK: CONFIG_MICROCODE is "y"
CONFIG_X86_SMAP y defconfig self_protection OK: version >= 5.19
CONFIG_X86_UMIP y defconfig self_protection OK
CONFIG_PAGE_TABLE_ISOLATION y defconfig self_protection OK
CONFIG_RANDOMIZE_MEMORY y defconfig self_protection OK
CONFIG_X86_KERNEL_IBT y defconfig self_protection OK
CONFIG_CPU_SRSO y defconfig self_protection OK
CONFIG_INTEL_IOMMU y defconfig self_protection OK
CONFIG_AMD_IOMMU y defconfig self_protection OK
CONFIG_BUG_ON_DATA_CORRUPTION y kspp self_protection OK
CONFIG_SLAB_FREELIST_HARDENED y kspp self_protection OK
CONFIG_SLAB_FREELIST_RANDOM y kspp self_protection OK
CONFIG_SHUFFLE_PAGE_ALLOCATOR y kspp self_protection OK
CONFIG_FORTIFY_SOURCE y kspp self_protection OK
CONFIG_DEBUG_LIST y kspp self_protection OK
CONFIG_INIT_ON_ALLOC_DEFAULT_ON y kspp self_protection OK
CONFIG_SCHED_CORE y kspp self_protection OK
CONFIG_SCHED_STACK_END_CHECK y kspp self_protection OK
CONFIG_KFENCE y kspp self_protection OK
CONFIG_KFENCE_SAMPLE_INTERVAL is not off my self_protection OK: is not off, "100"
CONFIG_HARDENED_USERCOPY y kspp self_protection OK
CONFIG_HARDENED_USERCOPY_FALLBACK is not set kspp self_protection OK: is not found
CONFIG_HARDENED_USERCOPY_PAGESPAN is not set kspp self_protection OK: is not found
CONFIG_MODULE_SIG y kspp self_protection OK
CONFIG_MODULE_SIG_ALL y kspp self_protection OK
CONFIG_MODULE_SIG_SHA512 y kspp self_protection OK
CONFIG_MODULE_SIG_FORCE y kspp self_protection OK
CONFIG_INIT_ON_FREE_DEFAULT_ON y kspp self_protection OK
CONFIG_EFI_DISABLE_PCI_DMA y kspp self_protection OK
CONFIG_RESET_ATTACK_MITIGATION y kspp self_protection OK
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT y kspp self_protection OK
CONFIG_HW_RANDOM_TPM y kspp self_protection OK
CONFIG_DEFAULT_MMAP_MIN_ADDR 65536 kspp self_protection OK
CONFIG_IOMMU_DEFAULT_DMA_STRICT y kspp self_protection OK
CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set kspp self_protection OK
CONFIG_INTEL_IOMMU_DEFAULT_ON y kspp self_protection OK
CONFIG_SLS y kspp self_protection OK
CONFIG_INTEL_IOMMU_SVM y kspp self_protection OK
CONFIG_AMD_IOMMU_V2 y kspp self_protection OK
CONFIG_SLAB_MERGE_DEFAULT is not set clipos self_protection OK
CONFIG_LIST_HARDENED y my self_protection OK
CONFIG_RANDOM_KMALLOC_CACHES y my self_protection OK
CONFIG_SECURITY y defconfig security_policy OK
CONFIG_SECURITY_YAMA y kspp security_policy OK
CONFIG_SECURITY_LANDLOCK y kspp security_policy OK
CONFIG_SECURITY_SELINUX_DISABLE is not set kspp security_policy OK: is not found
CONFIG_SECURITY_LOCKDOWN_LSM y kspp security_policy OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY y kspp security_policy OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY y kspp security_policy OK
CONFIG_SECURITY_WRITABLE_HOOKS is not set kspp security_policy OK: is not found
CONFIG_SECURITY_SELINUX_DEBUG is not set my security_policy OK
CONFIG_SECURITY_SELINUX y my security_policy OK
CONFIG_SECCOMP y defconfig cut_attack_surface OK
CONFIG_SECCOMP_FILTER y defconfig cut_attack_surface OK
CONFIG_BPF_UNPRIV_DEFAULT_OFF y defconfig cut_attack_surface OK
CONFIG_STRICT_DEVMEM y defconfig cut_attack_surface OK: CONFIG_DEVMEM is "is not set"
CONFIG_X86_INTEL_TSX_MODE_OFF y defconfig cut_attack_surface OK
CONFIG_SECURITY_DMESG_RESTRICT y kspp cut_attack_surface OK
CONFIG_ACPI_CUSTOM_METHOD is not set kspp cut_attack_surface OK: is not found
CONFIG_COMPAT_BRK is not set kspp cut_attack_surface OK
CONFIG_DEVKMEM is not set kspp cut_attack_surface OK: is not found
CONFIG_INET_DIAG is not set kspp cut_attack_surface OK
CONFIG_KEXEC is not set kspp cut_attack_surface OK
CONFIG_PROC_KCORE is not set kspp cut_attack_surface OK
CONFIG_LEGACY_PTYS is not set kspp cut_attack_surface OK
CONFIG_HIBERNATION is not set kspp cut_attack_surface OK
CONFIG_COMPAT is not set kspp cut_attack_surface OK: is not found
CONFIG_IA32_EMULATION is not set kspp cut_attack_surface OK
CONFIG_X86_X32 is not set kspp cut_attack_surface OK: is not found
CONFIG_X86_X32_ABI is not set kspp cut_attack_surface OK
CONFIG_MODIFY_LDT_SYSCALL is not set kspp cut_attack_surface OK
CONFIG_OABI_COMPAT is not set kspp cut_attack_surface OK: is not found
CONFIG_X86_MSR is not set kspp cut_attack_surface OK
CONFIG_LEGACY_TIOCSTI is not set kspp cut_attack_surface OK
CONFIG_DEVMEM is not set kspp cut_attack_surface OK
CONFIG_IO_STRICT_DEVMEM y kspp cut_attack_surface OK: CONFIG_DEVMEM is "is not set"
CONFIG_LDISC_AUTOLOAD is not set kspp cut_attack_surface OK
CONFIG_COMPAT_VDSO is not set kspp cut_attack_surface OK: is not found
CONFIG_X86_VSYSCALL_EMULATION is not set kspp cut_attack_surface OK
CONFIG_ZSMALLOC_STAT is not set grsec cut_attack_surface OK
CONFIG_PAGE_OWNER is not set grsec cut_attack_surface OK
CONFIG_DEBUG_KMEMLEAK is not set grsec cut_attack_surface OK
CONFIG_BINFMT_AOUT is not set grsec cut_attack_surface OK: is not found
CONFIG_KPROBE_EVENTS is not set grsec cut_attack_surface OK: is not found
CONFIG_UPROBE_EVENTS is not set grsec cut_attack_surface OK: is not found
CONFIG_GENERIC_TRACER is not set grsec cut_attack_surface OK: is not found
CONFIG_FUNCTION_TRACER is not set grsec cut_attack_surface OK: is not found
CONFIG_STACK_TRACER is not set grsec cut_attack_surface OK: is not found
CONFIG_HIST_TRIGGERS is not set grsec cut_attack_surface OK: is not found
CONFIG_BLK_DEV_IO_TRACE is not set grsec cut_attack_surface OK: is not found
CONFIG_PROC_VMCORE is not set grsec cut_attack_surface OK
CONFIG_PROC_PAGE_MONITOR is not set grsec cut_attack_surface OK
CONFIG_USELIB is not set grsec cut_attack_surface OK
CONFIG_CHECKPOINT_RESTORE is not set grsec cut_attack_surface OK
CONFIG_USERFAULTFD is not set grsec cut_attack_surface OK
CONFIG_HWPOISON_INJECT is not set grsec cut_attack_surface OK: is not found
CONFIG_MEM_SOFT_DIRTY is not set grsec cut_attack_surface OK: is not found
CONFIG_DEVPORT is not set grsec cut_attack_surface OK
CONFIG_DEBUG_FS is not set grsec cut_attack_surface OK
CONFIG_NOTIFIER_ERROR_INJECTION is not set grsec cut_attack_surface OK
CONFIG_FAIL_FUTEX is not set grsec cut_attack_surface OK: is not found
CONFIG_PUNIT_ATOM_DEBUG is not set grsec cut_attack_surface OK
CONFIG_ACPI_CONFIGFS is not set grsec cut_attack_surface OK
CONFIG_EDAC_DEBUG is not set grsec cut_attack_surface OK
CONFIG_DRM_I915_DEBUG is not set grsec cut_attack_surface OK
CONFIG_BCACHE_CLOSURES_DEBUG is not set grsec cut_attack_surface OK
CONFIG_DVB_C8SECTPFE is not set grsec cut_attack_surface OK: is not found
CONFIG_MTD_SLRAM is not set grsec cut_attack_surface OK: is not found
CONFIG_MTD_PHRAM is not set grsec cut_attack_surface OK: is not found
CONFIG_IO_URING is not set grsec cut_attack_surface OK
CONFIG_RSEQ is not set grsec cut_attack_surface OK
CONFIG_LATENCYTOP is not set grsec cut_attack_surface OK
CONFIG_KCOV is not set grsec cut_attack_surface OK
CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set grsec cut_attack_surface OK
CONFIG_SUNRPC_DEBUG is not set grsec cut_attack_surface OK: is not found
CONFIG_PTDUMP_DEBUGFS is not set grsec cut_attack_surface OK: is not found
CONFIG_DRM_LEGACY is not set maintainer cut_attack_surface OK
CONFIG_BLK_DEV_FD is not set maintainer cut_attack_surface OK: is not found
CONFIG_BLK_DEV_FD_RAWCMD is not set maintainer cut_attack_surface OK: is not found
CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT is not set maintainer cut_attack_surface OK: is not found
CONFIG_STAGING is not set clipos cut_attack_surface OK
CONFIG_KSM is not set clipos cut_attack_surface OK
CONFIG_KALLSYMS is not set clipos cut_attack_surface OK
CONFIG_MAGIC_SYSRQ is not set clipos cut_attack_surface OK
CONFIG_KEXEC_FILE is not set clipos cut_attack_surface OK
CONFIG_X86_CPUID is not set clipos cut_attack_surface OK
CONFIG_X86_IOPL_IOPERM is not set clipos cut_attack_surface OK
CONFIG_ACPI_TABLE_UPGRADE is not set clipos cut_attack_surface OK
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is not set clipos cut_attack_surface OK
CONFIG_AIO is not set clipos cut_attack_surface OK
CONFIG_EFI_TEST is not set lockdown cut_attack_surface OK
CONFIG_MMIOTRACE_TEST is not set lockdown cut_attack_surface OK: is not found
CONFIG_KPROBES is not set lockdown cut_attack_surface OK
CONFIG_MMIOTRACE is not set my cut_attack_surface OK: is not found
CONFIG_LIVEPATCH is not set my cut_attack_surface OK: is not found
CONFIG_IP_DCCP is not set my cut_attack_surface OK
CONFIG_IP_SCTP is not set my cut_attack_surface OK
CONFIG_FTRACE is not set my cut_attack_surface OK
CONFIG_VIDEO_VIVID is not set my cut_attack_surface OK
CONFIG_INPUT_EVBUG is not set my cut_attack_surface OK
CONFIG_KGDB is not set my cut_attack_surface OK
CONFIG_CORESIGHT is not set my cut_attack_surface OK: is not found
CONFIG_XFS_SUPPORT_V4 is not set my cut_attack_surface OK: is not found
CONFIG_TRIM_UNUSED_KSYMS y my cut_attack_surface OK
CONFIG_MODULE_FORCE_LOAD is not set my cut_attack_surface OK
CONFIG_COREDUMP is not set clipos harden_userspace OK
CONFIG_ARCH_MMAP_RND_BITS 32 my harden_userspace OK
CONFIG_BINFMT_MISC is not set kspp cut_attack_surface OK

Fails

Option Desired Value Source Reason Result
CONFIG_SLUB_DEBUG y defconfig self_protection FAIL: "is not set"
CONFIG_GCC_PLUGINS y defconfig self_protection FAIL: is not found
CONFIG_DEBUG_VIRTUAL y kspp self_protection FAIL: "is not set"
CONFIG_DEBUG_SG y kspp self_protection FAIL: "is not set"
CONFIG_DEBUG_CREDENTIALS y kspp self_protection FAIL: is not found
CONFIG_STATIC_USERMODEHELPER y kspp self_protection FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS y kspp self_protection FAIL: "is not set"
CONFIG_RANDSTRUCT_FULL y kspp self_protection FAIL: is not found
CONFIG_RANDSTRUCT_PERFORMANCE is not set kspp self_protection FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
CONFIG_GCC_PLUGIN_LATENT_ENTROPY y kspp self_protection FAIL: CONFIG_GCC_PLUGINS is not "y"
CONFIG_UBSAN_BOUNDS y kspp self_protection FAIL: is not found
CONFIG_UBSAN_LOCAL_BOUNDS y kspp self_protection FAIL: is not found
CONFIG_UBSAN_TRAP y kspp self_protection FAIL: CONFIG_UBSAN_BOUNDS is not "y"
CONFIG_UBSAN_SANITIZE_ALL y kspp self_protection FAIL: CONFIG_UBSAN_BOUNDS is not "y"
CONFIG_GCC_PLUGIN_STACKLEAK y kspp self_protection FAIL: CONFIG_GCC_PLUGINS is not "y"
CONFIG_STACKLEAK_METRICS is not set kspp self_protection FAIL: CONFIG_GCC_PLUGINS is not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE is not set kspp self_protection FAIL: CONFIG_GCC_PLUGINS is not "y"
CONFIG_CFI_CLANG y kspp self_protection FAIL: is not found
CONFIG_CFI_PERMISSIVE is not set kspp self_protection FAIL: CONFIG_CFI_CLANG is not "y"
CONFIG_SECURITY_SELINUX_BOOTPARAM is not set kspp security_policy FAIL: "y"
CONFIG_SECURITY_SELINUX_DEVELOP is not set kspp security_policy FAIL: "y"
CONFIG_MODULES is not set kspp cut_attack_surface FAIL: "y"
CONFIG_FAIL_FUTEX is not set grsec cut_attack_surface OK: is not found
CONFIG_KCMP is not set grsec cut_attack_surface FAIL: "y"
CONFIG_FB is not set maintainer cut_attack_surface FAIL: "y"
CONFIG_VT is not set maintainer cut_attack_surface FAIL: "y"
CONFIG_USER_NS is not set clipos cut_attack_surface FAIL: "y"
CONFIG_BPF_SYSCALL is not set lockdown cut_attack_surface FAIL: "y" 
[+] Config check is finished: 'OK' - 169 / 'FAIL' - 27