Hardened linux: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| Line 5: | Line 5: | ||
{{cmd|# wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch}} | {{cmd|# wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch}} | ||
{{cmd|# wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig}} | {{cmd|# wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig}} | ||
In the "APKBUILD" file, change this "source" line to this: | |||
{{cat|./APKBUILD|... | |||
0001-powerpc-boot-wrapper-Add-z-notext-flag-for-ppc64le.patch | |||
0002-x86-Compress-vmlinux-with-zstd-19-instead-of-22.patch | |||
0003-kexec-add-kexec_load_disabled-boot-option.patch | |||
0004-objtool-respect-AWK-setting.patch | |||
0005-powerpc-config-defang-gcc-check-for-stack-protector-.patch | |||
0006-linux-hardened-v6.11.10-hardened1.patch | |||
0007-linux-hardened-v6.11.10-hardened1.patch.sig | |||
lts.x86_64.config | |||
virt.x86_64.config | |||
...}} | |||
There is some need to remove "-hardened1" in the patch file (not the sig file): | There is some need to remove "-hardened1" in the patch file (not the sig file): | ||
{{cat|./0006-linux-hardened-v$VERSION-hardened1.patch|... | |||
-EXTRAVERSION | |||
+EXTRAVERSION -hardened1 | |||
...}} | |||
You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or compiling with the package "kernel-hooks" would not do anything, as this "extraversion" is not necessary. (Kernel-hooks apk package is necessary to make a secureboot [[UEFI_Secure_Boot|EFISTUB]]. | You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or compiling with the package "kernel-hooks" would not do anything, as this "extraversion" is not necessary. (Kernel-hooks apk package is necessary to make a secureboot [[UEFI_Secure_Boot|EFISTUB]]. | ||
| Line 14: | Line 33: | ||
Before compiling the kernel, in [[Custom_Kernel|the Alpine Linux kernel guide]], you must do some kernel module configurations, preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may borrow [[https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config|this KCONFIG]] from linux-hardened as a base, for configuration simplicity sake. (Use the apk package "Kconfig-Hardened-Check" for configuring KCONFIG file as securely as possible.) | Before compiling the kernel, in [[Custom_Kernel|the Alpine Linux kernel guide]], you must do some kernel module configurations, preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may borrow [[https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config|this KCONFIG]] from linux-hardened as a base, for configuration simplicity sake. (Use the apk package "Kconfig-Hardened-Check" for configuring KCONFIG file as securely as possible.) | ||
After applying this, you may do <code>abuild -r</code> to start compiling the kernel. | After applying this, you may do <code>abuild checksum && abuild -r</code> to start compiling the kernel. | ||
== External Links: == | == External Links: == | ||
Revision as of 20:04, 7 December 2024
Developing linux-kernel with hardened patch
Make a custom linux kernel using this guide. Once you have setup the linux kernel from there, in your current directory ($WORK_DIR/aports/main/linux-lts), gather linux hardened patches via these two CLI commands (Replace "$VERSION" with the current latest version in the releases):
# wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch
# wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig
In the "APKBUILD" file, change this "source" line to this:
Contents of ./APKBUILD
There is some need to remove "-hardened1" in the patch file (not the sig file):
Contents of ./0006-linux-hardened-v$VERSION-hardened1.patch
You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or compiling with the package "kernel-hooks" would not do anything, as this "extraversion" is not necessary. (Kernel-hooks apk package is necessary to make a secureboot EFISTUB.
Before compiling the kernel, in the Alpine Linux kernel guide, you must do some kernel module configurations, preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may borrow [KCONFIG] from linux-hardened as a base, for configuration simplicity sake. (Use the apk package "Kconfig-Hardened-Check" for configuring KCONFIG file as securely as possible.)
After applying this, you may do abuild checksum && abuild -r to start compiling the kernel.