Hardened linux: Difference between revisions
mNo edit summary |
No edit summary |
||
| (53 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{todo| Soon will provide Alpine Linux Edge in testing repo a linux-hardened APK package, to avoid compiling your own! WIP Repo: https://gitlab.alpinelinux.org/Pursuable1652/linux-hardened)}} | |||
Make a custom linux kernel using [[Custom_Kernel|this guide]]. Once you have setup the linux kernel from there, in your current directory ($YOUR_WORK_DIR/aports/main/linux-lts), gather linux hardened patches via these two CLI commands (Replace "$VERSION" with the current latest version in the releases): | == Why Linux-Hardened Kernel? == | ||
You may want to get a more security focused kernel, custom private syscalls (only if you compile it for yourself and is not publicly shown), apply Grsecurity/KSPP/GrapheneOS kernel hardening suggestions and remove attack surface from the kernel (with the kernel-hardening-checker APK package). | |||
== Developing Linux-hardened kernel with hardened patch == | |||
{{warning| The following wiki guide was made with Alpine Linux Edge version, and with the testing repository in <code>/etc/apk/repositories</code>}} | |||
Make a custom linux kernel using [[Custom_Kernel|this guide]] [1]. Once you have setup the linux kernel from there, in your current directory (<code>$YOUR_WORK_DIR/aports/main/linux-lts</code>), gather linux hardened patches via these two CLI commands (Replace "<code>$VERSION</code>" with the current latest version in the releases): | |||
{{cmd|$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch}} | {{cmd|$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch}} | ||
{{cmd|$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig}} | {{cmd|$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig}} | ||
In the "APKBUILD" file, change this "source" line to this: | {{Note| To not be confused, this wiki will be using x86_64 as the $ARCH. Replace "x86_64" to a different $ARCH if desired. | ||
}} | |||
{{Note| Also, this wiki will be using 6.11.10 as the $pkgver and 1 as the $pkgrel. Replace both $pkgver and $pkgrel on newer release versions. | |||
}} | |||
{{Note| This will be compiled through the Alpine Linux Edge version. | |||
}} | |||
In the "<code>APKBUILD</code>" file, change this "<code>source</code>" line to this: | |||
{{cat|./APKBUILD|... | {{cat|./APKBUILD|... | ||
source{{=}}"https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-$_kernver.tar.xz | source{{=}}"https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-$_kernver.tar.xz | ||
| Line 24: | Line 38: | ||
...}} | ...}} | ||
In APKBUILD file again, change "pkgver" and "pkgrel" to the same as the releases patch file's "$VERSION" | In "<code>APKBUILD</code>" file again, change "<code>pkgver</code>" and "<code>pkgrel</code>" to the same as the releases patch file's "<code>$VERSION</code>" | ||
{{cat|./APKBUILD|... | {{cat|./APKBUILD|... | ||
pkgver{{=}} | pkgver{{=}} | ||
| Line 31: | Line 45: | ||
...}} | ...}} | ||
You may change the pkg name's flavor (if you do that, replace all words "lts" with your preferred flavor name), but for this wiki it'll just be LTS | You may change the pkg name's flavor (if you do that, replace all words "<code>lts</code>" with your preferred flavor name (for example "<code>hardened</code>"), and, for example, change the file <code>lts.x86_64.config</code> to <code>hardened.x86_64.config</code>), but for this wiki it'll just be LTS | ||
{{cat|./APKBUILD|... | {{cat|./APKBUILD|... | ||
_flavor{{=}}lts | _flavor{{=}}lts | ||
...}} | ...}} | ||
There is some need to remove "-hardened1" in the patch file (not the sig file): | There is some need to remove "<code>-hardened1</code>" in the patch file (not the sig file): | ||
{{cat|./0006-linux-hardened-v$VERSION-hardened1.patch|... | {{cat|./0006-linux-hardened-v$VERSION-hardened1.patch|... | ||
-EXTRAVERSION {{=}} | -EXTRAVERSION {{=}} | ||
| Line 43: | Line 57: | ||
You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or installing the package "kernel-hooks" would not do anything, as this " | {{Warning| You MUST remove the "<code>EXTRAVERSION</code>" naming ("<code>-hardened1</code>") after it, or installing the package "<code>kernel-hooks</code>" would not do anything, as this "<code>EXTRAVERSION</code>" is not necessary. ("<code>kernel-hooks</code>" apk package is necessary to make a secureboot [[UEFI_Secure_Boot|EFISTUB]]) [2].}} | ||
== Developing Linux-hardened kernel with hardened config == | |||
OPTIONAL: Before compiling the kernel, in [[Custom_Kernel|the Alpine Linux custom kernel guide]] [1], you must do some kernel module configurations (do this by <code>abuild -rK</code> for a few seconds, then exiting by Ctrl-C, and then go to <code>src/linux-$VERSION/</code>, download this Arch_hardened_x86_64.config: | |||
{{cmd|$ doas apk add zstd tar | |||
$ mkdir arch | |||
$ cd arch | |||
$ wget -O linux-hardened-headers.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened-headers/download/ | |||
$ tar -xvf linux-hardened-headers.pkg.tar.zst | |||
$ cd .. && cp ./arch/usr/src/linux-hardened/.config ./Arch_hardened_x86_64.config | |||
$ mv ./arch ../../ | |||
}} | |||
And do <code>make menuconfig</code>, and select "load", and input the downloaded .config file's name: <code>Arch_hardened_x86_64.config</code>, preferably shorten the amount of kernel modules in the <code>.config</code> files where possible, to reduce compilation times. You may use the just-downloaded <code>Arch_hardened_x86_64.config</code> as a base for configuration simplicity sake. (Use the apk package "<code>kernel-hardening-checker</code>" for configuring .config file as securely as possible, as it contains some grsecurity and kspp kernel configuration suggestions and more.) | |||
{{warning| The default <code>Arch_hardened_x86_64.config</code> needs some modification, in menuconfig, general setup -> kernel compression mode, set it to GZIP.}} | |||
{{Tip| To use <code>kernel-hardening-checker</code>, do <code>mkdir kernel-hardening-checker && cd kernel-hardening-checker</code>, and you should acquire THREE files in the current directory: one with sysctl parameters (<code>$ doas sysctl -a > sysctl.conf</code>"sysctl.conf"), one with boot parameters (<code>$ cat /proc/version > ./cmdline.conf</code>"cmdline.conf"), and the .config file ("Arch_hardened_x86_64.config"). And then run with this CLI command: <code>$ kernel-hardening-checker -c ./Arch_hardened_x86_64.config -s ./sysctl.conf -l ./cmdline.conf</code> | |||
---- | |||
Afterwards do <code>cd .. && mv ./kernel-hardening-checker $YOUR_WORK_DIR/aports/main/linux-lts</code> so you dont lose this directory when it finishes compiling the kernel (it deletes the src directory).}} | |||
{{Note| Continuing from the above OPTIONAL paragraph, do <code>cp $YOUR_WORK_DIR/aports/main/linux-lts/src/linux-$VERSION/Arch_hardened_x86_64.config $YOUR_WORK_DIR/aports/main/linux-lts/lts.x86_64.config</code> when finished configuring .config kernel file.}} | |||
{{Note| <code>$YOUR_WORK_DIR/aports/main/linux-lts/virt.x86_64.config</code> is the kernel for virtualization (QEMU, Xen), do not customize this for this wiki.}} | |||
After applying this, you may do <code>cd $YOUR_WORK_DIR/aports/main/linux-lts</code> and <code>abuild checksum && abuild -r</code> to start compiling the kernel. | After applying this, you may do <code>cd $YOUR_WORK_DIR/aports/main/linux-lts</code> and <code>abuild checksum && abuild -r</code> to start compiling the kernel. | ||
| Line 53: | Line 89: | ||
== External Links: == | == External Links: == | ||
==== Custom Kernel (AlpineWiki): ==== | ==== Custom Kernel (AlpineWiki): ==== | ||
* [https://wiki.alpinelinux.org/wiki/Custom_Kernel Custom_Kernel] | * [https://wiki.alpinelinux.org/wiki/Custom_Kernel Custom_Kernel] [1] | ||
==== EFIStub (Secure Boot) (AlpineWiki): ==== | ==== EFIStub (Secure Boot) (AlpineWiki): ==== | ||
* [https://wiki.alpinelinux.org/wiki/UEFI_Secure_Boot UEFI_Secure_Boot] | * [https://wiki.alpinelinux.org/wiki/UEFI_Secure_Boot UEFI_Secure_Boot] [2] | ||
==== Releases page: ==== | ==== Releases page: ==== | ||
* [https://github.com/anthraxx/linux-hardened/releases https://github.com/anthraxx/linux-hardened/releases] | * [https://github.com/anthraxx/linux-hardened/releases https://github.com/anthraxx/linux-hardened/releases] [3] | ||
==== Some resources for help creating this page: ==== | ==== Some resources for help creating this page: ==== | ||
* [https://strfry.github.io/blog/building-alpine-kernel.html https://strfry.github.io/blog/building-alpine-kernel.html] | * [https://strfry.github.io/blog/building-alpine-kernel.html https://strfry.github.io/blog/building-alpine-kernel.html] [4] | ||
==== Linux- | ==== Arch Linux linux-hardened package repo (to decompress and aquire its .config) ==== | ||
* [https:// | * [https://archlinux.org/packages/?sort=&q=hardened&packager=anthraxx&flagged= https://archlinux.org/packages/?sort=&q=hardened&packager=anthraxx&flagged=] [5] | ||
[[Category:Security]] [[Category:Kernel]] | [[Category:Security]] [[Category:Kernel]] | ||
Latest revision as of 16:07, 15 December 2024
Todo: Soon will provide Alpine Linux Edge in testing repo a linux-hardened APK package, to avoid compiling your own! WIP Repo: https://gitlab.alpinelinux.org/Pursuable1652/linux-hardened)
Why Linux-Hardened Kernel?
You may want to get a more security focused kernel, custom private syscalls (only if you compile it for yourself and is not publicly shown), apply Grsecurity/KSPP/GrapheneOS kernel hardening suggestions and remove attack surface from the kernel (with the kernel-hardening-checker APK package).
Developing Linux-hardened kernel with hardened patch
Warning: The following wiki guide was made with Alpine Linux Edge version, and with the testing repository in
/etc/apk/repositories
Make a custom linux kernel using this guide [1]. Once you have setup the linux kernel from there, in your current directory ($YOUR_WORK_DIR/aports/main/linux-lts), gather linux hardened patches via these two CLI commands (Replace "$VERSION" with the current latest version in the releases):
$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch
$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig
Note: To not be confused, this wiki will be using x86_64 as the $ARCH. Replace "x86_64" to a different $ARCH if desired.
Note: Also, this wiki will be using 6.11.10 as the $pkgver and 1 as the $pkgrel. Replace both $pkgver and $pkgrel on newer release versions.
Note: This will be compiled through the Alpine Linux Edge version.
In the "APKBUILD" file, change this "source" line to this:
Contents of ./APKBUILD
...
source="https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-$_kernver.tar.xz
0001-powerpc-boot-wrapper-Add-z-notext-flag-for-ppc64le.patch
0002-x86-Compress-vmlinux-with-zstd-19-instead-of-22.patch
0003-kexec-add-kexec_load_disabled-boot-option.patch
0004-objtool-respect-AWK-setting.patch
0005-powerpc-config-defang-gcc-check-for-stack-protector-.patch
0006-linux-hardened-v6.11.10-hardened1.patch
0007-linux-hardened-v6.11.10-hardened1.patch.sig
lts.x86_64.config
virt.x86_64.config
"
...
In "APKBUILD" file again, change "pkgver" and "pkgrel" to the same as the releases patch file's "$VERSION"
Contents of ./APKBUILD
...
pkgver=
...
pkgrel=
...
You may change the pkg name's flavor (if you do that, replace all words "lts" with your preferred flavor name (for example "hardened"), and, for example, change the file lts.x86_64.config to hardened.x86_64.config), but for this wiki it'll just be LTS
Contents of ./APKBUILD
...
_flavor=lts
...
There is some need to remove "-hardened1" in the patch file (not the sig file):
Contents of ./0006-linux-hardened-v$VERSION-hardened1.patch
...
-EXTRAVERSION =
+EXTRAVERSION = -hardened1
...
Warning: You MUST remove the "
EXTRAVERSION" naming ("-hardened1") after it, or installing the package "kernel-hooks" would not do anything, as this "EXTRAVERSION" is not necessary. ("kernel-hooks" apk package is necessary to make a secureboot EFISTUB) [2].
Developing Linux-hardened kernel with hardened config
OPTIONAL: Before compiling the kernel, in the Alpine Linux custom kernel guide [1], you must do some kernel module configurations (do this by abuild -rK for a few seconds, then exiting by Ctrl-C, and then go to src/linux-$VERSION/, download this Arch_hardened_x86_64.config:
$ doas apk add zstd tar $ mkdir arch $ cd arch $ wget -O linux-hardened-headers.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened-headers/download/ $ tar -xvf linux-hardened-headers.pkg.tar.zst $ cd .. && cp ./arch/usr/src/linux-hardened/.config ./Arch_hardened_x86_64.config $ mv ./arch ../../
And do make menuconfig, and select "load", and input the downloaded .config file's name: Arch_hardened_x86_64.config, preferably shorten the amount of kernel modules in the .config files where possible, to reduce compilation times. You may use the just-downloaded Arch_hardened_x86_64.config as a base for configuration simplicity sake. (Use the apk package "kernel-hardening-checker" for configuring .config file as securely as possible, as it contains some grsecurity and kspp kernel configuration suggestions and more.)
Warning: The default
Arch_hardened_x86_64.config needs some modification, in menuconfig, general setup -> kernel compression mode, set it to GZIP.
Tip: To use
Afterwards do
kernel-hardening-checker, do mkdir kernel-hardening-checker && cd kernel-hardening-checker, and you should acquire THREE files in the current directory: one with sysctl parameters ($ doas sysctl -a > sysctl.conf"sysctl.conf"), one with boot parameters ($ cat /proc/version > ./cmdline.conf"cmdline.conf"), and the .config file ("Arch_hardened_x86_64.config"). And then run with this CLI command: $ kernel-hardening-checker -c ./Arch_hardened_x86_64.config -s ./sysctl.conf -l ./cmdline.conf
Afterwards do
cd .. && mv ./kernel-hardening-checker $YOUR_WORK_DIR/aports/main/linux-lts so you dont lose this directory when it finishes compiling the kernel (it deletes the src directory). Note: Continuing from the above OPTIONAL paragraph, do
cp $YOUR_WORK_DIR/aports/main/linux-lts/src/linux-$VERSION/Arch_hardened_x86_64.config $YOUR_WORK_DIR/aports/main/linux-lts/lts.x86_64.config when finished configuring .config kernel file. Note:
$YOUR_WORK_DIR/aports/main/linux-lts/virt.x86_64.config is the kernel for virtualization (QEMU, Xen), do not customize this for this wiki.After applying this, you may do cd $YOUR_WORK_DIR/aports/main/linux-lts and abuild checksum && abuild -r to start compiling the kernel.
When the compile has successfully completed, you should see ~/packages/main/$ARCH/linux-lts-$VERSION.apk and may install by apk add linux-lts=$VERSION(make sure to do apk update, and that /etc/apk/repositories contains $YOUR_USERS_HOME_DIR/packages/main.
External Links:
Custom Kernel (AlpineWiki):
- Custom_Kernel [1]
EFIStub (Secure Boot) (AlpineWiki):
- UEFI_Secure_Boot [2]