Hardened linux: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| Line 1: | Line 1: | ||
== Why Linux-Hardened Kernel? == | |||
You may want to get a more security focused kernel, custom private syscalls (only if you compile it for yourself and is not publicly shown), apply Grsecurity/KSPP/GrapheneOS kernel hardening suggestions and remove attack surface from the kernel (with the kernel-hardening-checker APK package). | |||
== Developing linux-kernel with hardened patch == | == Developing linux-kernel with hardened patch == | ||
{{warning| The following wiki guide was made with Alpine Linux Edge version, and with the testing repository in <code>/etc/apk/repositories</code>}} | |||
Make a custom linux kernel using [[Custom_Kernel|this guide]] [1]. Once you have setup the linux kernel from there, in your current directory (<code>$YOUR_WORK_DIR/aports/main/linux-lts</code>), gather linux hardened patches via these two CLI commands (Replace "<code>$VERSION</code>" with the current latest version in the releases): | Make a custom linux kernel using [[Custom_Kernel|this guide]] [1]. Once you have setup the linux kernel from there, in your current directory (<code>$YOUR_WORK_DIR/aports/main/linux-lts</code>), gather linux hardened patches via these two CLI commands (Replace "<code>$VERSION</code>" with the current latest version in the releases): | ||
| Line 56: | Line 61: | ||
OPTIONAL: Before compiling the kernel, in [[Custom_Kernel|the Alpine Linux custom kernel guide]] [1], you must do some kernel module configurations (do this by <code>abuild -rK</code> for a few seconds, then exiting by Ctrl-C, and then go to <code>src/linux-$VERSION/</code>, download [[https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config this linux-hardened KCONFIG]] [5], and do <code>make menuconfig</code>, and select "load", and input the downloaded KCONFIG file's name.), preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may borrow [[https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config this linux-hardened KCONFIG]] [5] from the package "<code>kernel-hardening-checker</code>'s" repo as a base, for configuration simplicity sake. (Use the apk package "<code>kernel-hardening-checker</code>" for configuring KCONFIG file as securely as possible, as it contains some grsecurity and kspp kernel configuration suggestions and more.) | OPTIONAL: Before compiling the kernel, in [[Custom_Kernel|the Alpine Linux custom kernel guide]] [1], you must do some kernel module configurations (do this by <code>abuild -rK</code> for a few seconds, then exiting by Ctrl-C, and then go to <code>src/linux-$VERSION/</code>, download [[https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config this linux-hardened KCONFIG]] [5], and do <code>make menuconfig</code>, and select "load", and input the downloaded KCONFIG file's name.), preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may borrow [[https://github.com/a13xp0p0v/kernel-hardening-checker/blob/master/kernel_hardening_checker/config_files/distros/Arch_hardened_x86_64.config this linux-hardened KCONFIG]] [5] from the package "<code>kernel-hardening-checker</code>'s" repo as a base, for configuration simplicity sake. (Use the apk package "<code>kernel-hardening-checker</code>" for configuring KCONFIG file as securely as possible, as it contains some grsecurity and kspp kernel configuration suggestions and more.) | ||
{{Tip| For a more up-to-date kernel, or just download the hardened arch kernel source, you could use this command to get from Arch Repo (must use gnu wget and zstd - <code>apk add wget zstd</code>) (You CANNOT use this kernel with <code>kernel-hooks</code> as it has "EXTRAVERSION" in the patch of this precompiled kernel, so must compile your own linux-hardened if using <code>kernel-hooks</code>): | {{Tip| For a more up-to-date kernel, or just download the hardened arch kernel source, you could use this command to get from Arch Repo (must use gnu wget and zstd - <code>apk add wget zstd</code>) (You CANNOT use this kernel with <code>kernel-hooks</code> as it has "EXTRAVERSION" in the patch of this precompiled kernel, so must compile your own linux-hardened if using <code>kernel-hooks</code>): | ||
{{cmd|mkdir arch | {{cmd|mkdir arch | ||
cd arch | cd arch | ||
| Line 66: | Line 71: | ||
tar -xvf linux-hardened-docs.pkg.tar.zst}} | tar -xvf linux-hardened-docs.pkg.tar.zst}} | ||
---- | ---- | ||
After, do <code>cd .. && cp ./arch/usr/src/linux-hardened/.config ./Arch_hardened_x86_64.config</code> | After, do <code>cd .. && cp ./arch/usr/src/linux-hardened/.config ./Arch_hardened_x86_64.config</code> | ||
}} | }} | ||
| Line 75: | Line 80: | ||
{{Note| Continuing from the above OPTIONAL paragraph, do <code>cp $YOUR_WORK_DIR/aports/main/linux-lts/src/linux-$VERSION/Arch_hardened_x86_64.config $YOUR_WORK_DIR/aports/main/linux-lts/lts.x86_64.config</code> when finished configuring KCONFIG kernel file.}} | {{Note| Continuing from the above OPTIONAL paragraph, do <code>cp $YOUR_WORK_DIR/aports/main/linux-lts/src/linux-$VERSION/Arch_hardened_x86_64.config $YOUR_WORK_DIR/aports/main/linux-lts/lts.x86_64.config</code> when finished configuring KCONFIG kernel file.}} | ||
{{Note| <code>$YOUR_WORK_DIR/aports/main/linux-lts/virt.x86_64.config</code> is the kernel for virtualization (QEMU, Boxes, VirtualBox, Xen), do not customize this for this wiki.}} | {{Note| <code>$YOUR_WORK_DIR/aports/main/linux-lts/virt.x86_64.config</code> is the kernel for virtualization (QEMU, Boxes, VirtualBox, Xen), do not customize this for this wiki.}} | ||
After applying this, you may do <code>cd $YOUR_WORK_DIR/aports/main/linux-lts</code> and <code>abuild checksum && abuild -r</code> to start compiling the kernel. | After applying this, you may do <code>cd $YOUR_WORK_DIR/aports/main/linux-lts</code> and <code>abuild checksum && abuild -r</code> to start compiling the kernel. | ||
Revision as of 00:11, 10 December 2024
Why Linux-Hardened Kernel?
You may want to get a more security focused kernel, custom private syscalls (only if you compile it for yourself and is not publicly shown), apply Grsecurity/KSPP/GrapheneOS kernel hardening suggestions and remove attack surface from the kernel (with the kernel-hardening-checker APK package).
Developing linux-kernel with hardened patch
/etc/apk/repositories
Make a custom linux kernel using this guide [1]. Once you have setup the linux kernel from there, in your current directory ($YOUR_WORK_DIR/aports/main/linux-lts), gather linux hardened patches via these two CLI commands (Replace "$VERSION" with the current latest version in the releases):
$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch
$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig
In the "APKBUILD" file, change this "source" line to this:
Contents of ./APKBUILD
In "APKBUILD" file again, change "pkgver" and "pkgrel" to the same as the releases patch file's "$VERSION"
Contents of ./APKBUILD
You may change the pkg name's flavor (if you do that, replace all words "lts" with your preferred flavor name), but for this wiki it'll just be LTS
Contents of ./APKBUILD
There is some need to remove "-hardened1" in the patch file (not the sig file):
Contents of ./0006-linux-hardened-v$VERSION-hardened1.patch
EXTRAVERSION" naming ("-hardened1") after it, or installing the package "kernel-hooks" would not do anything, as this "EXTRAVERSION" is not necessary. ("kernel-hooks" apk package is necessary to make a secureboot EFISTUB) [2].
Linux-hardened kernel configuration
OPTIONAL: Before compiling the kernel, in the Alpine Linux custom kernel guide [1], you must do some kernel module configurations (do this by abuild -rK for a few seconds, then exiting by Ctrl-C, and then go to src/linux-$VERSION/, download [this linux-hardened KCONFIG] [5], and do make menuconfig, and select "load", and input the downloaded KCONFIG file's name.), preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may borrow [this linux-hardened KCONFIG] [5] from the package "kernel-hardening-checker's" repo as a base, for configuration simplicity sake. (Use the apk package "kernel-hardening-checker" for configuring KCONFIG file as securely as possible, as it contains some grsecurity and kspp kernel configuration suggestions and more.)
apk add wget zstd) (You CANNOT use this kernel with kernel-hooks as it has "EXTRAVERSION" in the patch of this precompiled kernel, so must compile your own linux-hardened if using kernel-hooks):
mkdir arch cd arch wget -O linux-hardened.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened/download/ wget -O linux-hardened-headers.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened-headers/download/ wget -O linux-hardened-docs.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened-docs/download/ tar -xvf linux-hardened.pkg.tar.zst tar -xvf linux-hardened-headers.pkg.tar.zst tar -xvf linux-hardened-docs.pkg.tar.zst
After, do cd .. && cp ./arch/usr/src/linux-hardened/.config ./Arch_hardened_x86_64.config
kernel-hardening-checker, do mkdir kernel-hardening-checker && cd kernel-hardening-checker, and you should acquire THREE files in the current directory: one with sysctl parameters ("sysctl.conf"), one with boot parameters ("secureboot.conf" if you use kernel-hooks and secureboot-hooks apk packages), and the KCONFIG file ("Arch_hardened_x86_64.config"). And then run with this CLI command: $ kernel-hardening-checker -c ./Arch_hardened_x86_64.config -s ./sysctl.conf -l ./secureboot.conf
Afterwards do
cd .. && mv ./kernel-hardening-checker $YOUR_WORK_DIR/aports/main/linux-lts so you dont lose this directory when it finishes compiling the kernel (it deletes the src directory).cp $YOUR_WORK_DIR/aports/main/linux-lts/src/linux-$VERSION/Arch_hardened_x86_64.config $YOUR_WORK_DIR/aports/main/linux-lts/lts.x86_64.config when finished configuring KCONFIG kernel file.$YOUR_WORK_DIR/aports/main/linux-lts/virt.x86_64.config is the kernel for virtualization (QEMU, Boxes, VirtualBox, Xen), do not customize this for this wiki.After applying this, you may do cd $YOUR_WORK_DIR/aports/main/linux-lts and abuild checksum && abuild -r to start compiling the kernel.
When the compile has successfully completed, you should see ~/packages/main/$ARCH/linux-lts-$VERSION.apk and may install by apk add linux-lts=$VERSION(make sure to do apk update, and that /etc/apk/repositories contains $YOUR_USERS_HOME_DIR/packages/main.
External Links:
Custom Kernel (AlpineWiki):
- Custom_Kernel [1]
EFIStub (Secure Boot) (AlpineWiki):
- UEFI_Secure_Boot [2]