Hardened linux: Difference between revisions

From Alpine Linux
mNo edit summary
mNo edit summary
Line 61: Line 61:
tar -xvf linux-hardened-headers.pkg.tar.zst
tar -xvf linux-hardened-headers.pkg.tar.zst
tar -xvf linux-hardened-docs.pkg.tar.zst}}
tar -xvf linux-hardened-docs.pkg.tar.zst}}
----
After, do <code>cp ./usr/src/linux-hardened/.config ./Arch_hardened_x86_64.config</code>
}}


}}
{{Tip| To use <code>kernel-hardening-checker</code>, do <code>mkdir kernel-hardening-checker && cd kernel-hardening-checker</code>, and you should acquire THREE files in the current directory: one with sysctl parameters ("sysctl.conf"), one with boot parameters ("secureboot.conf" if you use kernel-hooks and secureboot-hooks apk packages), and the KCONFIG file ("Arch_hardened_x86_64.config"). And then run with this CLI command: <code>$ kernel-hardening-checker -c ./Arch_hardened_x86_64.config -s ./sysctl.conf -l ./secureboot.conf</code>
{{Tip| To use <code>kernel-hardening-checker</code>, do <code>mkdir kernel-hardening-checker && cd kernel-hardening-checker</code>, and you should acquire THREE files in the current directory: one with sysctl parameters ("sysctl.conf"), one with boot parameters ("secureboot.conf" if you use kernel-hooks and secureboot-hooks apk packages), and the KCONFIG file ("Arch_hardened_x86_64.config"). And then run with this CLI command: <code>$ kernel-hardening-checker -c ./Arch_hardened_x86_64.config -s ./sysctl.conf -l ./secureboot.conf</code>
----
----

Revision as of 17:08, 8 December 2024

Developing linux-kernel with hardened patch

Make a custom linux kernel using this guide [1]. Once you have setup the linux kernel from there, in your current directory ($YOUR_WORK_DIR/aports/main/linux-lts), gather linux hardened patches via these two CLI commands (Replace "$VERSION" with the current latest version in the releases):

$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch

$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig

Note: To not be confused, this wiki will be using x86_64 as the $ARCH. Replace "x86_64" to a different $ARCH if desired.
Note: Also, this wiki will be using 6.11.10 as the $pkgver and 1 as the $pkgrel. Replace both $pkgver and $pkgrel on newer release versions.
Note: This will be compiled through the Alpine Linux Edge version.

In the "APKBUILD" file, change this "source" line to this:

Contents of ./APKBUILD

... source="https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-$_kernver.tar.xz 0001-powerpc-boot-wrapper-Add-z-notext-flag-for-ppc64le.patch 0002-x86-Compress-vmlinux-with-zstd-19-instead-of-22.patch 0003-kexec-add-kexec_load_disabled-boot-option.patch 0004-objtool-respect-AWK-setting.patch 0005-powerpc-config-defang-gcc-check-for-stack-protector-.patch 0006-linux-hardened-v6.11.10-hardened1.patch 0007-linux-hardened-v6.11.10-hardened1.patch.sig lts.x86_64.config virt.x86_64.config " ...

In "APKBUILD" file again, change "pkgver" and "pkgrel" to the same as the releases patch file's "$VERSION"

Contents of ./APKBUILD

... pkgver= ... pkgrel= ...

You may change the pkg name's flavor (if you do that, replace all words "lts" with your preferred flavor name), but for this wiki it'll just be LTS

Contents of ./APKBUILD

... _flavor=lts ...

There is some need to remove "-hardened1" in the patch file (not the sig file):

Contents of ./0006-linux-hardened-v$VERSION-hardened1.patch

... -EXTRAVERSION = +EXTRAVERSION = -hardened1 ...


You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or installing the package "kernel-hooks" would not do anything, as this "EXTRAVERSION" is not necessary. ("kernel-hooks" apk package is necessary to make a secureboot EFISTUB) [2].

OPTIONAL: Before compiling the kernel, in the Alpine Linux custom kernel guide [1], you must do some kernel module configurations (do this by abuild -rK for a few seconds, then exiting by Ctrl-C, and then go to src/linux-$VERSION/, download [this linux-hardened KCONFIG] [5], and do make menuconfig, and select "load", and input the downloaded KCONFIG file's name.), preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may borrow [this linux-hardened KCONFIG] [5] from the package "kernel-hardening-checker's" repo as a base, for configuration simplicity sake. (Use the apk package "kernel-hardening-checker" for configuring KCONFIG file as securely as possible, as it contains some grsecurity and kspp kernel configuration suggestions and more.)

Tip: For a more up-to-date kernel, or just download the hardened arch kernel source, you could use this command to get from Arch Repo (must use gnu wget - apk add wget):

wget -O linux-hardened.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened/download/ wget -O linux-hardened-headers.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened-headers/download/ wget -O linux-hardened-docs.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened-docs/download/ tar -xvf linux-hardened.pkg.tar.zst tar -xvf linux-hardened-headers.pkg.tar.zst tar -xvf linux-hardened-docs.pkg.tar.zst


After, do cp ./usr/src/linux-hardened/.config ./Arch_hardened_x86_64.config

Tip: To use kernel-hardening-checker, do mkdir kernel-hardening-checker && cd kernel-hardening-checker, and you should acquire THREE files in the current directory: one with sysctl parameters ("sysctl.conf"), one with boot parameters ("secureboot.conf" if you use kernel-hooks and secureboot-hooks apk packages), and the KCONFIG file ("Arch_hardened_x86_64.config"). And then run with this CLI command: $ kernel-hardening-checker -c ./Arch_hardened_x86_64.config -s ./sysctl.conf -l ./secureboot.conf
Afterwards do cd .. && mv ./kernel-hardening-checker $YOUR_WORK_DIR/aports/main/linux-lts so you dont lose this directory when it finishes compiling the kernel (it deletes the src directory).
Note: Continuing from the above OPTIONAL paragraph, do cp $YOUR_WORK_DIR/aports/main/linux-lts/src/linux-$VERSION/Arch_hardened_x86_64.config $YOUR_WORK_DIR/aports/main/linux-lts/lts.x86_64.config (and $YOUR_WORK_DIR/aports/main/linux-lts/virt.x86_64.config if you want to also modify virt.x86_64.config) when finished configuring KCONFIG kernel file.

After applying this, you may do cd $YOUR_WORK_DIR/aports/main/linux-lts and abuild checksum && abuild -r to start compiling the kernel.

When the compile has successfully completed, you should see ~/packages/main/$ARCH/linux-lts-$VERSION.apk and may install by apk add linux-lts=$VERSION(make sure to do apk update, and that /etc/apk/repositories contains $YOUR_USERS_HOME_DIR/packages/main.

External Links:

Custom Kernel (AlpineWiki):

EFIStub (Secure Boot) (AlpineWiki):

Releases page:

Some resources for help creating this page:

Linux-Hardened KCONFIG file