Hardened linux

Why Linux-Hardened Kernel?

You may want to get a more security focused kernel, custom private syscalls (only if you compile it for yourself and is not publicly shown), apply Grsecurity/KSPP/GrapheneOS kernel hardening suggestions and remove attack surface from the kernel (with the kernel-hardening-checker APK package).

Developing linux-kernel with hardened patch

Make a custom linux kernel using this guide [1]. Once you have setup the linux kernel from there, in your current directory ($YOUR_WORK_DIR/aports/main/linux-lts), gather linux hardened patches via these two CLI commands (Replace "$VERSION" with the current latest version in the releases):

$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch 0006-linux-hardened-v$VERSION-hardened1.patch

$ wget https://github.com/anthraxx/linux-hardened/releases/download/v$VERSION-hardened1/linux-hardened-v$VERSION-hardened1.patch.sig 0007-linux-hardened-v$VERSION-hardened1.patch.sig

In the "APKBUILD" file, change this "source" line to this:

In "APKBUILD" file again, change "pkgver" and "pkgrel" to the same as the releases patch file's "$VERSION"

You may change the pkg name's flavor (if you do that, replace all words "lts" with your preferred flavor name), but for this wiki it'll just be LTS

There is some need to remove "-hardened1" in the patch file (not the sig file):

Linux-hardened kernel configuration

OPTIONAL: Before compiling the kernel, in the Alpine Linux custom kernel guide [1], you must do some kernel module configurations (do this by abuild -rK for a few seconds, then exiting by Ctrl-C, and then go to src/linux-$VERSION/, download this linux-hardened KCONFIG:

$ doas apk add zstd tar $ mkdir arch $ cd arch $ wget -O linux-hardened-headers.pkg.tar.zst https://archlinux.org/packages/extra/x86_64/linux-hardened-headers/download/ $ tar -xvf linux-hardened-headers.pkg.tar.zst $ cd .. && cp ./arch/usr/src/linux-hardened/.config ./Arch_hardened_x86_64.config $ mv ./arch ../../

And do make menuconfig, and select "load", and input the downloaded KCONFIG file's name: Arch_hardened_x86_64.config.), preferably shorten the amount of kernel modules in the KCONFIG files where possible, to reduce compilation times. You may use the just-downloaded Arch Linux hardened KCONFIG as a base for configuration simplicity sake. (Use the apk package "kernel-hardening-checker" for configuring KCONFIG file as securely as possible, as it contains some grsecurity and kspp kernel configuration suggestions and more.)

After applying this, you may do cd $YOUR_WORK_DIR/aports/main/linux-lts and abuild checksum && abuild -r to start compiling the kernel.

When the compile has successfully completed, you should see ~/packages/main/$ARCH/linux-lts-$VERSION.apk and may install by apk add linux-lts=$VERSION(make sure to do apk update, and that /etc/apk/repositories contains $YOUR_USERS_HOME_DIR/packages/main.

External Links:

Custom Kernel (AlpineWiki):

• Custom_Kernel [1]

EFIStub (Secure Boot) (AlpineWiki):

• UEFI_Secure_Boot [2]

Releases page:

• https://github.com/anthraxx/linux-hardened/releases [3]

Some resources for help creating this page:

• https://strfry.github.io/blog/building-alpine-kernel.html [4]

Arch Linux linux-hardened package repo (to decompress and aquire its KCONFIG)

• https://archlinux.org/packages/?sort=&q=hardened&packager=anthraxx&flagged= [5]