plague-kernel

local clone of plague kernel (not owned by me)

Go to file

optout f9df8767a7 Build script fix to KVER standard variable \| additional trimming & general config tweaks		2024-02-01 14:59:50 +00:00
5.10-hardened.config	Upgraded kernel config / created config for 5.15 / updated steps	2022-10-27 16:01:46 +00:00
5.15-hardened.config	Upgraded kernel config / created config for 5.15 / updated steps	2022-10-27 16:01:46 +00:00
6.6.13-hardened1.config	Build script fix to KVER standard variable \| additional trimming & general config tweaks	2024-02-01 14:59:50 +00:00
fedora_build.sh	Build script fix to KVER standard variable \| additional trimming & general config tweaks	2024-02-01 14:59:50 +00:00
README.md	Build script for Fedora added \| Documentation update	2024-01-25 19:46:14 +00:00
void_build.sh	Build script for Fedora added \| Documentation update	2024-01-25 19:46:14 +00:00

README.md

Steps to create

Set the KVER variable to which version you want to obtain from Anthraxx's linux-hardened repository
Run bash void_build.sh if running Void Linux OR bash fedora_build.sh if running Fedora

Additional Resources:

Trimming Efforts

While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.

Current kconfig-hardened-check results

Successes

Option	Desired Value	Source	Reason	Result
CONFIG_BUG	y	defconfig	self_protection	OK
CONFIG_THREAD_INFO_IN_TASK	y	defconfig	self_protection	OK
CONFIG_IOMMU_SUPPORT	y	defconfig	self_protection	OK
CONFIG_STACKPROTECTOR	y	defconfig	self_protection	OK
CONFIG_STACKPROTECTOR_STRONG	y	defconfig	self_protection	OK
CONFIG_STRICT_KERNEL_RWX	y	defconfig	self_protection	OK
CONFIG_STRICT_MODULE_RWX	y	defconfig	self_protection	OK
CONFIG_REFCOUNT_FULL	y	defconfig	self_protection	OK: version >= 5.5
CONFIG_INIT_STACK_ALL_ZERO	y	defconfig	self_protection	OK
CONFIG_RANDOMIZE_BASE	y	defconfig	self_protection	OK
CONFIG_VMAP_STACK	y	defconfig	self_protection	OK
CONFIG_SPECULATION_MITIGATIONS	y	defconfig	self_protection	OK
CONFIG_DEBUG_WX	y	defconfig	self_protection	OK
CONFIG_WERROR	y	defconfig	self_protection	OK
CONFIG_X86_MCE	y	defconfig	self_protection	OK
CONFIG_X86_MCE_INTEL	y	defconfig	self_protection	OK
CONFIG_X86_MCE_AMD	y	defconfig	self_protection	OK
CONFIG_RETPOLINE	y	defconfig	self_protection	OK
CONFIG_SYN_COOKIES	y	defconfig	self_protection	OK
CONFIG_MICROCODE	y	defconfig	self_protection	OK
CONFIG_MICROCODE_INTEL	y	defconfig	self_protection	OK: CONFIG_MICROCODE is "y"
CONFIG_MICROCODE_AMD	y	defconfig	self_protection	OK: CONFIG_MICROCODE is "y"
CONFIG_X86_SMAP	y	defconfig	self_protection	OK: version >= 5.19
CONFIG_X86_UMIP	y	defconfig	self_protection	OK
CONFIG_PAGE_TABLE_ISOLATION	y	defconfig	self_protection	OK
CONFIG_RANDOMIZE_MEMORY	y	defconfig	self_protection	OK
CONFIG_X86_KERNEL_IBT	y	defconfig	self_protection	OK
CONFIG_CPU_SRSO	y	defconfig	self_protection	OK
CONFIG_INTEL_IOMMU	y	defconfig	self_protection	OK
CONFIG_AMD_IOMMU	y	defconfig	self_protection	OK
CONFIG_BUG_ON_DATA_CORRUPTION	y	kspp	self_protection	OK
CONFIG_SLAB_FREELIST_HARDENED	y	kspp	self_protection	OK
CONFIG_SLAB_FREELIST_RANDOM	y	kspp	self_protection	OK
CONFIG_SHUFFLE_PAGE_ALLOCATOR	y	kspp	self_protection	OK
CONFIG_FORTIFY_SOURCE	y	kspp	self_protection	OK
CONFIG_DEBUG_LIST	y	kspp	self_protection	OK
CONFIG_INIT_ON_ALLOC_DEFAULT_ON	y	kspp	self_protection	OK
CONFIG_SCHED_CORE	y	kspp	self_protection	OK
CONFIG_SCHED_STACK_END_CHECK	y	kspp	self_protection	OK
CONFIG_KFENCE	y	kspp	self_protection	OK
CONFIG_KFENCE_SAMPLE_INTERVAL	is not off	my	self_protection	OK: is not off, "100"
CONFIG_HARDENED_USERCOPY	y	kspp	self_protection	OK
CONFIG_HARDENED_USERCOPY_FALLBACK	is not set	kspp	self_protection	OK: is not found
CONFIG_HARDENED_USERCOPY_PAGESPAN	is not set	kspp	self_protection	OK: is not found
CONFIG_MODULE_SIG	y	kspp	self_protection	OK
CONFIG_MODULE_SIG_ALL	y	kspp	self_protection	OK
CONFIG_MODULE_SIG_SHA512	y	kspp	self_protection	OK
CONFIG_MODULE_SIG_FORCE	y	kspp	self_protection	OK
CONFIG_INIT_ON_FREE_DEFAULT_ON	y	kspp	self_protection	OK
CONFIG_EFI_DISABLE_PCI_DMA	y	kspp	self_protection	OK
CONFIG_RESET_ATTACK_MITIGATION	y	kspp	self_protection	OK
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT	y	kspp	self_protection	OK
CONFIG_HW_RANDOM_TPM	y	kspp	self_protection	OK
CONFIG_DEFAULT_MMAP_MIN_ADDR	65536	kspp	self_protection	OK
CONFIG_IOMMU_DEFAULT_DMA_STRICT	y	kspp	self_protection	OK
CONFIG_IOMMU_DEFAULT_PASSTHROUGH	is not set	kspp	self_protection	OK
CONFIG_INTEL_IOMMU_DEFAULT_ON	y	kspp	self_protection	OK
CONFIG_SLS	y	kspp	self_protection	OK
CONFIG_INTEL_IOMMU_SVM	y	kspp	self_protection	OK
CONFIG_AMD_IOMMU_V2	y	kspp	self_protection	OK
CONFIG_SLAB_MERGE_DEFAULT	is not set	clipos	self_protection	OK
CONFIG_LIST_HARDENED	y	my	self_protection	OK
CONFIG_RANDOM_KMALLOC_CACHES	y	my	self_protection	OK
CONFIG_SECURITY	y	defconfig	security_policy	OK
CONFIG_SECURITY_YAMA	y	kspp	security_policy	OK
CONFIG_SECURITY_LANDLOCK	y	kspp	security_policy	OK
CONFIG_SECURITY_SELINUX_DISABLE	is not set	kspp	security_policy	OK: is not found
CONFIG_SECURITY_LOCKDOWN_LSM	y	kspp	security_policy	OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY	y	kspp	security_policy	OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY	y	kspp	security_policy	OK
CONFIG_SECURITY_WRITABLE_HOOKS	is not set	kspp	security_policy	OK: is not found
CONFIG_SECURITY_SELINUX_DEBUG	is not set	my	security_policy	OK
CONFIG_SECURITY_SELINUX	y	my	security_policy	OK
CONFIG_SECCOMP	y	defconfig	cut_attack_surface	OK
CONFIG_SECCOMP_FILTER	y	defconfig	cut_attack_surface	OK
CONFIG_BPF_UNPRIV_DEFAULT_OFF	y	defconfig	cut_attack_surface	OK
CONFIG_STRICT_DEVMEM	y	defconfig	cut_attack_surface	OK: CONFIG_DEVMEM is "is not set"
CONFIG_X86_INTEL_TSX_MODE_OFF	y	defconfig	cut_attack_surface	OK
CONFIG_SECURITY_DMESG_RESTRICT	y	kspp	cut_attack_surface	OK
CONFIG_ACPI_CUSTOM_METHOD	is not set	kspp	cut_attack_surface	OK: is not found
CONFIG_COMPAT_BRK	is not set	kspp	cut_attack_surface	OK
CONFIG_DEVKMEM	is not set	kspp	cut_attack_surface	OK: is not found
CONFIG_INET_DIAG	is not set	kspp	cut_attack_surface	OK
CONFIG_KEXEC	is not set	kspp	cut_attack_surface	OK
CONFIG_PROC_KCORE	is not set	kspp	cut_attack_surface	OK
CONFIG_LEGACY_PTYS	is not set	kspp	cut_attack_surface	OK
CONFIG_HIBERNATION	is not set	kspp	cut_attack_surface	OK
CONFIG_COMPAT	is not set	kspp	cut_attack_surface	OK: is not found
CONFIG_IA32_EMULATION	is not set	kspp	cut_attack_surface	OK
CONFIG_X86_X32	is not set	kspp	cut_attack_surface	OK: is not found
CONFIG_X86_X32_ABI	is not set	kspp	cut_attack_surface	OK
CONFIG_MODIFY_LDT_SYSCALL	is not set	kspp	cut_attack_surface	OK
CONFIG_OABI_COMPAT	is not set	kspp	cut_attack_surface	OK: is not found
CONFIG_X86_MSR	is not set	kspp	cut_attack_surface	OK
CONFIG_LEGACY_TIOCSTI	is not set	kspp	cut_attack_surface	OK
CONFIG_DEVMEM	is not set	kspp	cut_attack_surface	OK
CONFIG_IO_STRICT_DEVMEM	y	kspp	cut_attack_surface	OK: CONFIG_DEVMEM is "is not set"
CONFIG_LDISC_AUTOLOAD	is not set	kspp	cut_attack_surface	OK
CONFIG_COMPAT_VDSO	is not set	kspp	cut_attack_surface	OK: is not found
CONFIG_X86_VSYSCALL_EMULATION	is not set	kspp	cut_attack_surface	OK
CONFIG_ZSMALLOC_STAT	is not set	grsec	cut_attack_surface	OK
CONFIG_PAGE_OWNER	is not set	grsec	cut_attack_surface	OK
CONFIG_DEBUG_KMEMLEAK	is not set	grsec	cut_attack_surface	OK
CONFIG_BINFMT_AOUT	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_KPROBE_EVENTS	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_UPROBE_EVENTS	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_GENERIC_TRACER	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_FUNCTION_TRACER	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_STACK_TRACER	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_HIST_TRIGGERS	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_BLK_DEV_IO_TRACE	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_PROC_VMCORE	is not set	grsec	cut_attack_surface	OK
CONFIG_PROC_PAGE_MONITOR	is not set	grsec	cut_attack_surface	OK
CONFIG_USELIB	is not set	grsec	cut_attack_surface	OK
CONFIG_CHECKPOINT_RESTORE	is not set	grsec	cut_attack_surface	OK
CONFIG_USERFAULTFD	is not set	grsec	cut_attack_surface	OK
CONFIG_HWPOISON_INJECT	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_MEM_SOFT_DIRTY	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_DEVPORT	is not set	grsec	cut_attack_surface	OK
CONFIG_DEBUG_FS	is not set	grsec	cut_attack_surface	OK
CONFIG_NOTIFIER_ERROR_INJECTION	is not set	grsec	cut_attack_surface	OK
CONFIG_FAIL_FUTEX	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_PUNIT_ATOM_DEBUG	is not set	grsec	cut_attack_surface	OK
CONFIG_ACPI_CONFIGFS	is not set	grsec	cut_attack_surface	OK
CONFIG_EDAC_DEBUG	is not set	grsec	cut_attack_surface	OK
CONFIG_DRM_I915_DEBUG	is not set	grsec	cut_attack_surface	OK
CONFIG_BCACHE_CLOSURES_DEBUG	is not set	grsec	cut_attack_surface	OK
CONFIG_DVB_C8SECTPFE	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_MTD_SLRAM	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_MTD_PHRAM	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_IO_URING	is not set	grsec	cut_attack_surface	OK
CONFIG_RSEQ	is not set	grsec	cut_attack_surface	OK
CONFIG_LATENCYTOP	is not set	grsec	cut_attack_surface	OK
CONFIG_KCOV	is not set	grsec	cut_attack_surface	OK
CONFIG_PROVIDE_OHCI1394_DMA_INIT	is not set	grsec	cut_attack_surface	OK
CONFIG_SUNRPC_DEBUG	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_PTDUMP_DEBUGFS	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_DRM_LEGACY	is not set	maintainer	cut_attack_surface	OK
CONFIG_BLK_DEV_FD	is not set	maintainer	cut_attack_surface	OK: is not found
CONFIG_BLK_DEV_FD_RAWCMD	is not set	maintainer	cut_attack_surface	OK: is not found
CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT	is not set	maintainer	cut_attack_surface	OK: is not found
CONFIG_STAGING	is not set	clipos	cut_attack_surface	OK
CONFIG_KSM	is not set	clipos	cut_attack_surface	OK
CONFIG_KALLSYMS	is not set	clipos	cut_attack_surface	OK
CONFIG_MAGIC_SYSRQ	is not set	clipos	cut_attack_surface	OK
CONFIG_KEXEC_FILE	is not set	clipos	cut_attack_surface	OK
CONFIG_X86_CPUID	is not set	clipos	cut_attack_surface	OK
CONFIG_X86_IOPL_IOPERM	is not set	clipos	cut_attack_surface	OK
CONFIG_ACPI_TABLE_UPGRADE	is not set	clipos	cut_attack_surface	OK
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS	is not set	clipos	cut_attack_surface	OK
CONFIG_AIO	is not set	clipos	cut_attack_surface	OK
CONFIG_EFI_TEST	is not set	lockdown	cut_attack_surface	OK
CONFIG_MMIOTRACE_TEST	is not set	lockdown	cut_attack_surface	OK: is not found
CONFIG_KPROBES	is not set	lockdown	cut_attack_surface	OK
CONFIG_MMIOTRACE	is not set	my	cut_attack_surface	OK: is not found
CONFIG_LIVEPATCH	is not set	my	cut_attack_surface	OK: is not found
CONFIG_IP_DCCP	is not set	my	cut_attack_surface	OK
CONFIG_IP_SCTP	is not set	my	cut_attack_surface	OK
CONFIG_FTRACE	is not set	my	cut_attack_surface	OK
CONFIG_VIDEO_VIVID	is not set	my	cut_attack_surface	OK
CONFIG_INPUT_EVBUG	is not set	my	cut_attack_surface	OK
CONFIG_KGDB	is not set	my	cut_attack_surface	OK
CONFIG_CORESIGHT	is not set	my	cut_attack_surface	OK: is not found
CONFIG_XFS_SUPPORT_V4	is not set	my	cut_attack_surface	OK: is not found
CONFIG_TRIM_UNUSED_KSYMS	y	my	cut_attack_surface	OK
CONFIG_MODULE_FORCE_LOAD	is not set	my	cut_attack_surface	OK
CONFIG_COREDUMP	is not set	clipos	harden_userspace	OK
CONFIG_ARCH_MMAP_RND_BITS	32	my	harden_userspace	OK

Fails

Option	Desired Value	Source	Reason	Result
CONFIG_SLUB_DEBUG	y	defconfig	self_protection	FAIL: "is not set"
CONFIG_GCC_PLUGINS	y	defconfig	self_protection	FAIL: is not found
CONFIG_DEBUG_VIRTUAL	y	kspp	self_protection	FAIL: "is not set"
CONFIG_DEBUG_SG	y	kspp	self_protection	FAIL: "is not set"
CONFIG_DEBUG_CREDENTIALS	y	kspp	self_protection	FAIL: is not found
CONFIG_STATIC_USERMODEHELPER	y	kspp	self_protection	FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS	y	kspp	self_protection	FAIL: "is not set"
CONFIG_RANDSTRUCT_FULL	y	kspp	self_protection	FAIL: is not found
CONFIG_RANDSTRUCT_PERFORMANCE	is not set	kspp	self_protection	FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
CONFIG_GCC_PLUGIN_LATENT_ENTROPY	y	kspp	self_protection	FAIL: CONFIG_GCC_PLUGINS is not "y"
CONFIG_UBSAN_BOUNDS	y	kspp	self_protection	FAIL: is not found
CONFIG_UBSAN_LOCAL_BOUNDS	y	kspp	self_protection	FAIL: is not found
CONFIG_UBSAN_TRAP	y	kspp	self_protection	FAIL: CONFIG_UBSAN_BOUNDS is not "y"
CONFIG_UBSAN_SANITIZE_ALL	y	kspp	self_protection	FAIL: CONFIG_UBSAN_BOUNDS is not "y"
CONFIG_GCC_PLUGIN_STACKLEAK	y	kspp	self_protection	FAIL: CONFIG_GCC_PLUGINS is not "y"
CONFIG_STACKLEAK_METRICS	is not set	kspp	self_protection	FAIL: CONFIG_GCC_PLUGINS is not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE	is not set	kspp	self_protection	FAIL: CONFIG_GCC_PLUGINS is not "y"
CONFIG_CFI_CLANG	y	kspp	self_protection	FAIL: is not found
CONFIG_CFI_PERMISSIVE	is not set	kspp	self_protection	FAIL: CONFIG_CFI_CLANG is not "y"
CONFIG_SECURITY_SELINUX_BOOTPARAM	is not set	kspp	security_policy	FAIL: "y"
CONFIG_SECURITY_SELINUX_DEVELOP	is not set	kspp	security_policy	FAIL: "y"
CONFIG_BINFMT_MISC	is not set	kspp	cut_attack_surface	FAIL: "m"
CONFIG_MODULES	is not set	kspp	cut_attack_surface	FAIL: "y"
CONFIG_FAIL_FUTEX	is not set	grsec	cut_attack_surface	OK: is not found
CONFIG_KCMP	is not set	grsec	cut_attack_surface	FAIL: "y"
CONFIG_FB	is not set	maintainer	cut_attack_surface	FAIL: "y"
CONFIG_VT	is not set	maintainer	cut_attack_surface	FAIL: "y"
CONFIG_USER_NS	is not set	clipos	cut_attack_surface	FAIL: "y"
CONFIG_BPF_SYSCALL	is not set	lockdown	cut_attack_surface	FAIL: "y"

[+] Config check is finished: 'OK' - 168 / 'FAIL' - 28