Linux-libre Hardened
- Vous devez vous identifier ou créer un compte pour écrire des commentaires
Based on the conversation from https://trisquel.info/en/forum/how-come-hardened-kernel-isnt-more-popular I'm looking into building a security-hardened version of Linux-libre. There's a number of things that could be done in that area and the purposes of this thread is to talk of that.
Hardening Linux is a large topic and there's a lot that could be done. What I'm looking at doing is reviewing this and incorporating this: https://github.com/a13xp0p0v/kconfig-hardened-check
However: I want to avoid a repeat of what happened with grsecurity so my plan is to only focus on those things that are present in upstream Linux - No out-of-tree patches. From my point of view, desirable security features can be submitted to upstream Linux via the normal review and inclusion process and make their way into normal kernel releases, to be enabled by me in the builds.
Thoughts? Ideas? Comments?
Another topic I forgot to ask about: My current kernel builds (via https://www.fsfla.org/ikiwiki/selibre/linux-libre/freesh.en.html) follow all active kernel series. This is currently 4.9, 4.14, 4.19, 5.4, 5.10, 5.15, 5.16. and 5.17.
Should this also be done with the hardened kernels or something different? I do plan to do the latest version no matter what; my question is more if it is desirable to also do more than just that (like LTS, and if so which LTS - All or just the latest LTS.) Or maybe something totally different. Speak up please. :)
"Another topic I forgot to ask about: My current kernel builds (via https://www.fsfla.org/ikiwiki/selibre/linux-libre/freesh.en.html) follow all active kernel series. This is currently 4.9, 4.14, 4.19, 5.4, 5.10, 5.15, 5.16. and 5.17.
Should this also be done with the hardened kernels or something different? I do plan to do the latest version no matter what; my question is more if it is desirable to also do more than just that (like LTS, and if so which LTS - All or just the latest LTS.) Or maybe something totally different. Speak up please. :)"
I'd say targetting the latest (5.17 currently) and latest LTS (5.15 currently) would target the most users without adding a lot more work.
>"Should this also be done with the hardened kernels or something different? I do plan to do the latest version no matter what; my question is more if it is desirable to also do more than just that (like LTS, and if so which LTS - All or just the latest LTS.) Or maybe something totally different. Speak up please. :)"
I would do the latest, the latest LTS, and whatever version Trisquel is currently using. That should give people enough options.
>"Thoughts? Ideas? Comments?"
Keep in mind, a lot of the latest hardening ideas probably only pertain to enterprise users or cloud farm outfits like Fakebook or Scroogle or Scamazon. If I were making a hardened kernel I'd make it for desktop users and for people running smaller servers, and skip all the Fakebook/Scroogle/Scamazon nonsense. And I'd try to do it in a way that did not massively sacrifice performance.
"Keep in mind, a lot of the latest hardening ideas probably only pertain to enterprise users or cloud farm outfits like Fakebook or Scroogle or Scamazon. If I were making a hardened kernel I'd make it for desktop users and for people running smaller servers, and skip all the Fakebook/Scroogle/Scamazon nonsense. And I'd try to do it in a way that did not massively sacrifice performance."
Helping out the normal users with desktops and laptops would be ideal and most beneficial I'd say.
"However: I want to avoid a repeat of what happened with grsecurity so my plan is to only focus on those things that are present in upstream Linux - No out-of-tree patches. From my point of view, desirable security features can be submitted to upstream Linux via the normal review and inclusion process and make their way into normal kernel releases, to be enabled by me in the builds."
This sounds like the practical way to go.
https://mirror.fsf.org/trisquel/pool/main/h/hardening-runtime/
There's an hardening-runtime package one may be interested in installing from the repos for some stuff like this.
- Vous devez vous identifier ou créer un compte pour écrire des commentaires