Hardened linux: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 53: | Line 53: | ||
== External Links: == | == External Links: == | ||
==== Custom Kernel (AlpineWiki): ==== | ==== Custom Kernel (AlpineWiki): ==== | ||
* [https://wiki.alpinelinux.org/wiki/Custom_Kernel] | * [https://wiki.alpinelinux.org/wiki/Custom_Kernel Custom_Kernel] | ||
==== EFIStub (Secure Boot) (AlpineWiki): ==== | ==== EFIStub (Secure Boot) (AlpineWiki): ==== | ||
* [https://wiki.alpinelinux.org/wiki/UEFI_Secure_Boot] | * [https://wiki.alpinelinux.org/wiki/UEFI_Secure_Boot UEFI_Secure_Boot] | ||
==== Releases page: ==== | ==== Releases page: ==== | ||
* [https://github.com/anthraxx/linux-hardened/releases] | * [https://github.com/anthraxx/linux-hardened/releases https://github.com/anthraxx/linux-hardened/releases] | ||
==== Some resources for help creating this page: ==== | ==== Some resources for help creating this page: ==== | ||
* [https://strfry.github.io/blog/building-alpine-kernel.html] | * [https://strfry.github.io/blog/building-alpine-kernel.html https://strfry.github.io/blog/building-alpine-kernel.html] | ||
==== Linux-Hardened KCONFIG file ==== | ==== Linux-Hardened KCONFIG file ==== | ||
* [https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config] | * [https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config] | ||
[[Category:Security]] [[Category:Kernel]] | [[Category:Security]] [[Category:Kernel]] |
Revision as of 21:28, 7 December 2024
Developing linux-kernel with hardened patch
Make a custom linux kernel using this guide. Once you have setup the linux kernel from there, in your current directory ($YOUR_WORK_DIR/aports/main/linux-lts), gather linux hardened patches via these two CLI commands (Replace "$VERSION" with the current latest version in the releases):
$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch
$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig
In the "APKBUILD" file, change this "source" line to this:
Contents of ./APKBUILD
In APKBUILD file again, change "pkgver" and "pkgrel" to the same as the releases patch file's "$VERSION"
Contents of ./APKBUILD
You may change the pkg name's flavor (if you do that, replace all words "lts" with your preferred flavor name), but for this wiki it'll just be LTS
Contents of ./APKBUILD
There is some need to remove "-hardened1" in the patch file (not the sig file):
Contents of ./0006-linux-hardened-v$VERSION-hardened1.patch
You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or installing the package "kernel-hooks" would not do anything, as this "extraversion" is not necessary. (Kernel-hooks apk package is necessary to make a secureboot EFISTUB).
Before compiling the kernel, in the Alpine Linux custom kernel guide, you must do some kernel module configurations (do this by abuild -rK
for a few seconds, then exiting by Ctrl-C, and then go to src/linux-$VERSION/
, wget
[this linux-hardened KCONFIG], and do make menuconfig
, and select "load kernel", and input the wget
'd KCONFIG file's name.), preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may borrow [this linux-hardened KCONFIG] from the package "kernel-hardening-checker's" repo as a base, for configuration simplicity sake. (Use the apk package "kernel-hardening-checker" for configuring KCONFIG file as securely as possible, as it contains some grsecurity and kspp kernel configuration suggestions and more.)
After applying this, you may do cd $YOUR_WORK_DIR/aports/main/linux-lts
and abuild checksum && abuild -r
to start compiling the kernel.
When the compile has successfully completed, you should see ~/packages/main/$ARCH/linux-lts-$VERSION.apk
and may install by apk add linux-lts=$VERSION
(make sure to do apk update
, and that /etc/apk/repositories
contains $YOUR_USERS_HOME_DIR/packages/main
.