How Come the Hardened Kernel Isn't More Popular ?

4 respostas [Última entrada]
PublicLewdness
Desconectado
Joined: 03/15/2020

I just found out recently that the hardened version of the Linux kernel even existed. When I did it got me thinking why it isn't more popular in these circles ? Users of distros like Trisquel; Hyperbola; Parabola; Guix; etc are probably more privacy and security focussed than most users but as far as I know no one makes a libre version of the hardended kernel. If there is anybody working working on this i'd love to find them as I would donate to such a project. if not any idea why there is little to no interest ?

andyprough
Desconectado
Joined: 02/12/2015

My understanding is that nearly all distro kernel maintainers use some of the methods of hardening their kernels. Hyperbola is especially concerned about using a hardened kernel, at least according to the last interview I read with the lead developer.

jxself
Desconectado
Joined: 09/13/2010

As far as I know there isn't a single "the" hardened kernel.

I had considered doing something in that area but no one's asked. That's one of my criteria for doing Linux-libre kernel builds: There must be a demand. Otherwise I'm just wasting my time to build something no one wants.

I'm thinking back to what happened with grsecurity where they pulled the rug out from under everyone by taking their patches private.

A single place having that kind of control seems unmaintainable for that reason. So to avoid that situation if I did do something, I would want it to be supported by upstream Linux and not require any out-of-tree patches. Compared to the kernels I'm already making, it would basically amount to a config change.

KSPP seemed appealing in that aspect as it was efforts to get such things mainlined and get them reviewed by people that are smarter than me.

PublicLewdness
Desconectado
Joined: 03/15/2020

"As far as I know there isn't a single "the" hardened kernel."

Fair point, I was referring to this kernel:

https://github.com/anthraxx/linux-hardened

Well I have interest but I wouldn't expect you to do it just for me. If it happens I would be happy to use it and increase my donation to you but I doubt what I alone would be giving would make it worth it from a cost/effort standpoint. I hadn't heard of the grsecurity issue, I wasn't paying as much attention to security back then, was more worried about what games would work on Linux. After looking it up it's a valid concern.

jxself
Desconectado
Joined: 09/13/2010

Jason said: "There must be a demand. Otherwise I'm just wasting my time to build something no one wants."

PublicLewdness said: "Well I have interest but I wouldn't expect you to do it just for me. If it happens I would be happy to use it and increase my donation to you but I doubt what I alone would be giving would make it worth it from a cost/effort standpoint."

Sorry perhaps I should have been clearer. I didn't mean it as if there needs to be lots of people to make it somehow profitable and worth the effort; I don't look at it like that. If even one person wanted a certain kernel build (and used it) I'd do it. That was how my RPM kernel builds at https://rpmfreedom.org/ got started, because 1 person had asked (and is using it.)

That piece seems to be met here so let me see what I can do. I'm thinking of not using https://github.com/anthraxx/linux-hardened though because it appears to include out-of-tree patches. If there are interesting security things in there that are desirable they should be submitted to upstream Linux to go through the normal review and inclusion process.

More to come.