Linux-libre Hardened

6 replies [Last post]
jxself
Offline
Joined: 09/13/2010

Based on the conversation from https://trisquel.info/en/forum/how-come-hardened-kernel-isnt-more-popular I'm looking into building a security-hardened version of Linux-libre. There's a number of things that could be done in that area and the purposes of this thread is to talk of that.

Hardening Linux is a large topic and there's a lot that could be done. What I'm looking at doing is reviewing this and incorporating this: https://github.com/a13xp0p0v/kconfig-hardened-check

However: I want to avoid a repeat of what happened with grsecurity so my plan is to only focus on those things that are present in upstream Linux - No out-of-tree patches. From my point of view, desirable security features can be submitted to upstream Linux via the normal review and inclusion process and make their way into normal kernel releases, to be enabled by me in the builds.

Thoughts? Ideas? Comments?

jxself
Offline
Joined: 09/13/2010

Another topic I forgot to ask about: My current kernel builds (via https://www.fsfla.org/ikiwiki/selibre/linux-libre/freesh.en.html) follow all active kernel series. This is currently 4.9, 4.14, 4.19, 5.4, 5.10, 5.15, 5.16. and 5.17.

Should this also be done with the hardened kernels or something different? I do plan to do the latest version no matter what; my question is more if it is desirable to also do more than just that (like LTS, and if so which LTS - All or just the latest LTS.) Or maybe something totally different. Speak up please. :)

PublicLewdness
Offline
Joined: 03/15/2020

"Another topic I forgot to ask about: My current kernel builds (via https://www.fsfla.org/ikiwiki/selibre/linux-libre/freesh.en.html) follow all active kernel series. This is currently 4.9, 4.14, 4.19, 5.4, 5.10, 5.15, 5.16. and 5.17.

Should this also be done with the hardened kernels or something different? I do plan to do the latest version no matter what; my question is more if it is desirable to also do more than just that (like LTS, and if so which LTS - All or just the latest LTS.) Or maybe something totally different. Speak up please. :)"

I'd say targetting the latest (5.17 currently) and latest LTS (5.15 currently) would target the most users without adding a lot more work.

andyprough
Offline
Joined: 02/12/2015

>"Should this also be done with the hardened kernels or something different? I do plan to do the latest version no matter what; my question is more if it is desirable to also do more than just that (like LTS, and if so which LTS - All or just the latest LTS.) Or maybe something totally different. Speak up please. :)"

I would do the latest, the latest LTS, and whatever version Trisquel is currently using. That should give people enough options.

>"Thoughts? Ideas? Comments?"

Keep in mind, a lot of the latest hardening ideas probably only pertain to enterprise users or cloud farm outfits like Fakebook or Scroogle or Scamazon. If I were making a hardened kernel I'd make it for desktop users and for people running smaller servers, and skip all the Fakebook/Scroogle/Scamazon nonsense. And I'd try to do it in a way that did not massively sacrifice performance.

PublicLewdness
Offline
Joined: 03/15/2020

"Keep in mind, a lot of the latest hardening ideas probably only pertain to enterprise users or cloud farm outfits like Fakebook or Scroogle or Scamazon. If I were making a hardened kernel I'd make it for desktop users and for people running smaller servers, and skip all the Fakebook/Scroogle/Scamazon nonsense. And I'd try to do it in a way that did not massively sacrifice performance."

Helping out the normal users with desktops and laptops would be ideal and most beneficial I'd say.

PublicLewdness
Offline
Joined: 03/15/2020

"However: I want to avoid a repeat of what happened with grsecurity so my plan is to only focus on those things that are present in upstream Linux - No out-of-tree patches. From my point of view, desirable security features can be submitted to upstream Linux via the normal review and inclusion process and make their way into normal kernel releases, to be enabled by me in the builds."

This sounds like the practical way to go.

gaseousness
Offline
Joined: 08/25/2020

https://mirror.fsf.org/trisquel/pool/main/h/hardening-runtime/

There's an hardening-runtime package one may be interested in installing from the repos for some stuff like this.