Hardened linux: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| Line 7: | Line 7: | ||
There is some need to remove "-hardened1" in the patch file (not the sig file): | There is some need to remove "-hardened1" in the patch file (not the sig file): | ||
"<code> -EXTRAVERSION = </code> | |||
<code> +EXTRAVERSION = -hardened1 </code>" | |||
You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or compiling with the package "kernel-hooks" would not do anything, as this "extraversion" is not necessary. (Kernel-hooks apk package is necessary to make a secureboot [[UEFI_Secure_Boot|EFISTUB]]. | You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or compiling with the package "kernel-hooks" would not do anything, as this "extraversion" is not necessary. (Kernel-hooks apk package is necessary to make a secureboot [[UEFI_Secure_Boot|EFISTUB]]. | ||
| Line 19: | Line 19: | ||
==== Custom Kernel: ==== | ==== Custom Kernel: ==== | ||
* [https://wiki.alpinelinux.org/wiki/Custom_Kernel] | * [https://wiki.alpinelinux.org/wiki/Custom_Kernel] | ||
==== EFIStub: ==== | ==== EFIStub (Secure Boot): ==== | ||
* [https://wiki.alpinelinux.org/wiki/UEFI_Secure_Boot] | * [https://wiki.alpinelinux.org/wiki/UEFI_Secure_Boot] | ||
==== Releases page: ==== | ==== Releases page: ==== | ||
Revision as of 19:43, 7 December 2024
Developing linux-kernel with hardened patch
Make a custom linux kernel using this guide. Once you have setup the linux kernel from there, in your current directory ($WORK_DIR/aports/main/linux-lts), gather linux hardened patches via these two CLI commands (Replace "$VERSION" with the current latest version in the releases):
# wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch
# wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig
There is some need to remove "-hardened1" in the patch file (not the sig file):
" -EXTRAVERSION =
+EXTRAVERSION = -hardened1 "
You MUST remove the "EXTRAVERSION" naming ("-hardened1") after it, or compiling with the package "kernel-hooks" would not do anything, as this "extraversion" is not necessary. (Kernel-hooks apk package is necessary to make a secureboot EFISTUB.
Before compiling the kernel, in the Alpine Linux kernel guide, you must do some kernel module configurations, preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may borrow [KCONFIG] from linux-hardened as a base, for configuration simplicity sake. (Use the apk package "Kconfig-Hardened-Check" for configuring KCONFIG file as securely as possible.)
After applying this, you may do abuild -r to start compiling the kernel.