Hardened linux: Difference between revisions

From Alpine Linux
mNo edit summary
No edit summary
 
(73 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Developing linux-kernel with hardened patch ==
{{todo| Soon will provide Alpine Linux Edge in testing repo a linux-hardened APK package, to avoid compiling your own! WIP Repo: https://gitlab.alpinelinux.org/Pursuable1652/linux-hardened)}}


Make a custom linux kernel using [[Custom_Kernel|this guide]]. Once you have setup the linux kernel from there, in your current directory ($WORK_DIR/aports/main/linux-lts), gather linux hardened patches via these two CLI commands (Replace "$VERSION" with the current latest version in the releases):
== Why Linux-Hardened Kernel? ==
You may want to get a more security focused kernel, custom private syscalls (only if you compile it for yourself and is not publicly shown), apply Grsecurity/KSPP/GrapheneOS kernel hardening suggestions and remove attack surface from the kernel (with the kernel-hardening-checker APK package).


{{cmd|# wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch}}
== Developing Linux-hardened kernel with hardened patch ==
{{cmd|# wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig}}


There is some need to remove "-hardened1" in the patch file (not the sig file):
{{warning| The following wiki guide was made with Alpine Linux Edge version, and with the testing repository in <code>/etc/apk/repositories</code>}}
{{cmd| -EXTRAVERSION = }}
{{cmd| +EXTRAVERSION = -hardened1 }}


You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or compiling with the package "kernel-hooks" would not do anything, as this "extraversion" is not necessary. (Kernel-hooks apk package is necessary to make a secureboot [[UEFI_Secure_Boot|EFISTUB]].
Make a custom linux kernel using [[Custom_Kernel|this guide]] [1]. Once you have setup the linux kernel from there, in your current directory (<code>$YOUR_WORK_DIR/aports/main/linux-lts</code>), gather linux hardened patches via these two CLI commands (Replace "<code>$VERSION</code>" with the current latest version in the releases):


Before compiling the kernel, in [[Custom_Kernel|the Alpine Linux kernel guide]], you must do some kernel module configurations, preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may borrow [[https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config|this KCONFIG]] from linux-hardened as a base, for configuration simplicity sake. (Use the apk package "Kconfig-Hardened-Check" for configuring KCONFIG file as securely as possible.)
{{cmd|$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch}}
{{cmd|$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig}}


After applying this, you may do <code>abuild -r</code> to start compiling the kernel.
{{Note| To not be confused, this wiki will be using x86_64 as the $ARCH. Replace "x86_64" to a different $ARCH if desired.
}}
{{Note| Also, this wiki will be using 6.11.10 as the $pkgver and 1 as the $pkgrel. Replace both $pkgver and $pkgrel on newer release versions.
}}
{{Note| This will be compiled through the Alpine Linux Edge version.
}}
 
In the "<code>APKBUILD</code>" file, change this "<code>source</code>" line to this:
{{cat|./APKBUILD|...
source{{=}}"https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-$_kernver.tar.xz
    0001-powerpc-boot-wrapper-Add-z-notext-flag-for-ppc64le.patch
    0002-x86-Compress-vmlinux-with-zstd-19-instead-of-22.patch
    0003-kexec-add-kexec_load_disabled-boot-option.patch
    0004-objtool-respect-AWK-setting.patch
    0005-powerpc-config-defang-gcc-check-for-stack-protector-.patch
 
    0006-linux-hardened-v6.11.10-hardened1.patch
    0007-linux-hardened-v6.11.10-hardened1.patch.sig
 
    lts.x86_64.config
 
    virt.x86_64.config
    "
...}}
 
In "<code>APKBUILD</code>" file again, change "<code>pkgver</code>" and "<code>pkgrel</code>" to the same as the releases patch file's "<code>$VERSION</code>"
{{cat|./APKBUILD|...
pkgver{{=}}
...
pkgrel{{=}}
...}}
 
You may change the pkg name's flavor (if you do that, replace all words "<code>lts</code>" with your preferred flavor name (for example "<code>hardened</code>"), and, for example, change the file <code>lts.x86_64.config</code> to <code>hardened.x86_64.config</code>), but for this wiki it'll just be LTS
{{cat|./APKBUILD|...
_flavor{{=}}lts
...}}
 
There is some need to remove "<code>-hardened1</code>" in the patch file (not the sig file):
{{cat|./0006-linux-hardened-v$VERSION-hardened1.patch|...
-EXTRAVERSION {{=}}
+EXTRAVERSION {{=}} -hardened1
...}}
 
 
{{Warning| You MUST remove the "<code>EXTRAVERSION</code>" naming ("<code>-hardened1</code>") after it, or installing the package "<code>kernel-hooks</code>" would not do anything, as this "<code>EXTRAVERSION</code>" is not necessary. ("<code>kernel-hooks</code>" apk package is necessary to make a secureboot [[UEFI_Secure_Boot|EFISTUB]]) [2].}}
 
== Developing Linux-hardened kernel with hardened config ==
 
OPTIONAL: Before compiling the kernel, in [[Custom_Kernel|the Alpine Linux custom kernel guide]] [1], you must do some kernel module configurations (do this by <code>abuild -rK</code> for a few seconds, then exiting by Ctrl-C, and then go to <code>src/linux-$VERSION/</code>, download this Arch_hardened_x86_64.config:
{{cmd|$ doas apk add zstd tar
$ mkdir arch
$ cd arch
$ wget -O linux-hardened-headers.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened-headers/download/
$ tar -xvf linux-hardened-headers.pkg.tar.zst
$ cd .. && cp ./arch/usr/src/linux-hardened/.config ./Arch_hardened_x86_64.config
$ mv ./arch ../../
}}
 
And do <code>make menuconfig</code>, and select "load", and input the downloaded .config file's name: <code>Arch_hardened_x86_64.config</code>, preferably shorten the amount of kernel modules in the <code>.config</code> files where possible, to reduce compilation times. You may use the just-downloaded <code>Arch_hardened_x86_64.config</code> as a base for configuration simplicity sake. (Use the apk package "<code>kernel-hardening-checker</code>" for configuring .config file as securely as possible, as it contains some grsecurity and kspp kernel configuration suggestions and more.)
 
{{warning| The default <code>Arch_hardened_x86_64.config</code> needs some modification, in menuconfig, general setup -> kernel compression mode, set it to GZIP.}}
 
{{Tip| To use <code>kernel-hardening-checker</code>, do <code>mkdir kernel-hardening-checker && cd kernel-hardening-checker</code>, and you should acquire THREE files in the current directory: one with sysctl parameters (<code>$ doas sysctl -a > sysctl.conf</code>"sysctl.conf"), one with boot parameters (<code>$ cat /proc/version > ./cmdline.conf</code>"cmdline.conf"), and the .config file ("Arch_hardened_x86_64.config"). And then run with this CLI command: <code>$ kernel-hardening-checker -c ./Arch_hardened_x86_64.config -s ./sysctl.conf -l ./cmdline.conf</code>
----
Afterwards do <code>cd .. && mv ./kernel-hardening-checker $YOUR_WORK_DIR/aports/main/linux-lts</code> so you dont lose this directory when it finishes compiling the kernel (it deletes the src directory).}}
 
{{Note| Continuing from the above OPTIONAL paragraph, do <code>cp $YOUR_WORK_DIR/aports/main/linux-lts/src/linux-$VERSION/Arch_hardened_x86_64.config $YOUR_WORK_DIR/aports/main/linux-lts/lts.x86_64.config</code> when finished configuring .config kernel file.}}
 
{{Note| <code>$YOUR_WORK_DIR/aports/main/linux-lts/virt.x86_64.config</code> is the kernel for virtualization (QEMU, Xen), do not customize this for this wiki.}}
 
After applying this, you may do <code>cd $YOUR_WORK_DIR/aports/main/linux-lts</code> and <code>abuild checksum && abuild -r</code> to start compiling the kernel.
 
When the compile has successfully completed, you should see <code>~/packages/main/$ARCH/linux-lts-$VERSION.apk</code> and may install by <code>apk add linux-lts=$VERSION</code>(make sure to do <code>apk update</code>, and that <code>/etc/apk/repositories</code> contains <code>$YOUR_USERS_HOME_DIR/packages/main</code>.


== External Links: ==
== External Links: ==
==== Custom Kernel: ====
==== Custom Kernel (AlpineWiki): ====
* [https://wiki.alpinelinux.org/wiki/Custom_Kernel]
* [https://wiki.alpinelinux.org/wiki/Custom_Kernel Custom_Kernel] [1]
==== EFIStub: ====
==== EFIStub (Secure Boot) (AlpineWiki): ====
* [https://wiki.alpinelinux.org/wiki/UEFI_Secure_Boot]
* [https://wiki.alpinelinux.org/wiki/UEFI_Secure_Boot UEFI_Secure_Boot] [2]
==== Releases page: ====
==== Releases page: ====
* [https://github.com/anthraxx/linux-hardened/releases]
* [https://github.com/anthraxx/linux-hardened/releases https://github.com/anthraxx/linux-hardened/releases] [3]
==== Some resources for help creating this page: ====
==== Some resources for help creating this page: ====
* [https://strfry.github.io/blog/building-alpine-kernel.html]
* [https://strfry.github.io/blog/building-alpine-kernel.html https://strfry.github.io/blog/building-alpine-kernel.html] [4]
==== Linux-Hardened KCONFIG file ====
==== Arch Linux linux-hardened package repo (to decompress and aquire its .config) ====
* [https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config]
* [https://archlinux.org/packages/?sort=&q=hardened&packager=anthraxx&flagged= https://archlinux.org/packages/?sort=&q=hardened&packager=anthraxx&flagged=] [5]


[[Category:Security]] [[Category:Kernel]]
[[Category:Security]] [[Category:Kernel]]

Latest revision as of 16:07, 15 December 2024

Todo: Soon will provide Alpine Linux Edge in testing repo a linux-hardened APK package, to avoid compiling your own! WIP Repo: https://gitlab.alpinelinux.org/Pursuable1652/linux-hardened)


Why Linux-Hardened Kernel?

You may want to get a more security focused kernel, custom private syscalls (only if you compile it for yourself and is not publicly shown), apply Grsecurity/KSPP/GrapheneOS kernel hardening suggestions and remove attack surface from the kernel (with the kernel-hardening-checker APK package).

Developing Linux-hardened kernel with hardened patch

Warning: The following wiki guide was made with Alpine Linux Edge version, and with the testing repository in /etc/apk/repositories


Make a custom linux kernel using this guide [1]. Once you have setup the linux kernel from there, in your current directory ($YOUR_WORK_DIR/aports/main/linux-lts), gather linux hardened patches via these two CLI commands (Replace "$VERSION" with the current latest version in the releases):

$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch

$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig

Note: To not be confused, this wiki will be using x86_64 as the $ARCH. Replace "x86_64" to a different $ARCH if desired.
Note: Also, this wiki will be using 6.11.10 as the $pkgver and 1 as the $pkgrel. Replace both $pkgver and $pkgrel on newer release versions.
Note: This will be compiled through the Alpine Linux Edge version.

In the "APKBUILD" file, change this "source" line to this:

Contents of ./APKBUILD

... source="https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-$_kernver.tar.xz 0001-powerpc-boot-wrapper-Add-z-notext-flag-for-ppc64le.patch 0002-x86-Compress-vmlinux-with-zstd-19-instead-of-22.patch 0003-kexec-add-kexec_load_disabled-boot-option.patch 0004-objtool-respect-AWK-setting.patch 0005-powerpc-config-defang-gcc-check-for-stack-protector-.patch 0006-linux-hardened-v6.11.10-hardened1.patch 0007-linux-hardened-v6.11.10-hardened1.patch.sig lts.x86_64.config virt.x86_64.config " ...

In "APKBUILD" file again, change "pkgver" and "pkgrel" to the same as the releases patch file's "$VERSION"

Contents of ./APKBUILD

... pkgver= ... pkgrel= ...

You may change the pkg name's flavor (if you do that, replace all words "lts" with your preferred flavor name (for example "hardened"), and, for example, change the file lts.x86_64.config to hardened.x86_64.config), but for this wiki it'll just be LTS

Contents of ./APKBUILD

... _flavor=lts ...

There is some need to remove "-hardened1" in the patch file (not the sig file):

Contents of ./0006-linux-hardened-v$VERSION-hardened1.patch

... -EXTRAVERSION = +EXTRAVERSION = -hardened1 ...


Warning: You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or installing the package "kernel-hooks" would not do anything, as this "EXTRAVERSION" is not necessary. ("kernel-hooks" apk package is necessary to make a secureboot EFISTUB) [2].


Developing Linux-hardened kernel with hardened config

OPTIONAL: Before compiling the kernel, in the Alpine Linux custom kernel guide [1], you must do some kernel module configurations (do this by abuild -rK for a few seconds, then exiting by Ctrl-C, and then go to src/linux-$VERSION/, download this Arch_hardened_x86_64.config:

$ doas apk add zstd tar $ mkdir arch $ cd arch $ wget -O linux-hardened-headers.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened-headers/download/ $ tar -xvf linux-hardened-headers.pkg.tar.zst $ cd .. && cp ./arch/usr/src/linux-hardened/.config ./Arch_hardened_x86_64.config $ mv ./arch ../../

And do make menuconfig, and select "load", and input the downloaded .config file's name: Arch_hardened_x86_64.config, preferably shorten the amount of kernel modules in the .config files where possible, to reduce compilation times. You may use the just-downloaded Arch_hardened_x86_64.config as a base for configuration simplicity sake. (Use the apk package "kernel-hardening-checker" for configuring .config file as securely as possible, as it contains some grsecurity and kspp kernel configuration suggestions and more.)

Warning: The default Arch_hardened_x86_64.config needs some modification, in menuconfig, general setup -> kernel compression mode, set it to GZIP.


Tip: To use kernel-hardening-checker, do mkdir kernel-hardening-checker && cd kernel-hardening-checker, and you should acquire THREE files in the current directory: one with sysctl parameters ($ doas sysctl -a > sysctl.conf"sysctl.conf"), one with boot parameters ($ cat /proc/version > ./cmdline.conf"cmdline.conf"), and the .config file ("Arch_hardened_x86_64.config"). And then run with this CLI command: $ kernel-hardening-checker -c ./Arch_hardened_x86_64.config -s ./sysctl.conf -l ./cmdline.conf
Afterwards do cd .. && mv ./kernel-hardening-checker $YOUR_WORK_DIR/aports/main/linux-lts so you dont lose this directory when it finishes compiling the kernel (it deletes the src directory).
Note: Continuing from the above OPTIONAL paragraph, do cp $YOUR_WORK_DIR/aports/main/linux-lts/src/linux-$VERSION/Arch_hardened_x86_64.config $YOUR_WORK_DIR/aports/main/linux-lts/lts.x86_64.config when finished configuring .config kernel file.
Note: $YOUR_WORK_DIR/aports/main/linux-lts/virt.x86_64.config is the kernel for virtualization (QEMU, Xen), do not customize this for this wiki.

After applying this, you may do cd $YOUR_WORK_DIR/aports/main/linux-lts and abuild checksum && abuild -r to start compiling the kernel.

When the compile has successfully completed, you should see ~/packages/main/$ARCH/linux-lts-$VERSION.apk and may install by apk add linux-lts=$VERSION(make sure to do apk update, and that /etc/apk/repositories contains $YOUR_USERS_HOME_DIR/packages/main.

External Links:

Custom Kernel (AlpineWiki):

EFIStub (Secure Boot) (AlpineWiki):

Releases page:

Some resources for help creating this page:

Arch Linux linux-hardened package repo (to decompress and aquire its .config)