One of the things that take up the longest compilation time are networking stuff which have mostly been untouched.
We should figure out exactly which networking and netfilter options we need and remove unused ones.
For example, I doubt we need things like IPVS, vsockets or CONFIG_NF_CONNTRACK_H323 which allows us to configure iptables rule for some VoIP protocol. There’s also a bunch of network packet schedulers, none of which are being used.
I tested it and compilation takes 77 minutes for me. This is still far too slow. We need to cut down more modules. Development would also greatly speed up if I could compile and test the kernel quicker.
The linux-hardened patches work flawlessly with the kernel sources from kernel.org but it has tons of errors with the debian kernel sources. It might be better to just use the sources from kernel.org and copy/paste the debian packaging from the debian sources.
The linux-hardened patches work flawlessly with the kernel sources from kernel.org but it has tons of errors with the debian kernel sources. It might be better to just use the sources from kernel.org and copy/paste the debian packaging from the debian sources.
Yes. Could we even git clone linux-hardened and copy over Debian
packaging files? That previously failed for some reason?
I guess the Debian packaging files would not change much if kernel
sources are updated but I could be ignorant about some complexity.
Does linux-hardened offer signed git commits or even better signed git
tags? If yes, that would be possible (a secure way).
We would need to understand why Debian patches the Linux kernel. They
have a ton of patches. The list of patches is here:
You could use “make tinyconfig” which creates a minimal non bootable kernel so you can estimate the lowest possible compilation time for your setup. If it still takes an hour or so then cutting out more modules maybe won’t help that much. Recompiling the cloud kernel could also give a good estimate on what to expect from a stripped down kernel.
It’s maybe not a good estimate but iirc the tinyconfig is around 20-30kb while the cloud kernel config for Debian is around 90kb. The latter one should work for the average desktop system when some GUI relevant stuff is added.
Sure but stable kernels have newer code and more attack surface.
The real “hard truth” about Linux kernel security is that there’s no such thing as a free lunch. Keeping up to date on the latest upstream kernel will generally net all the bug fixes that have been created thus far, but with it of course brings completely new features, new code, new bugs, and new attack surface. The majority of vulnerabilities in the Linux kernel are ones that have been released just recently, something any honest person active in kernel development can attest to.
Although, stable kernels do have more hardening features.
It’s a hard decision.
LTS kernels have less hardening features and not all bug fixes are backported but it has less attack surface and potentially less chance of having bugs.
Stable kernels have more hardening features and all bug fixes but more attack surface and more bugs.
We should look into that. We should add a -hardened suffix or something to differentiate between our kernel and normal kernels.
The real “hard truth” about Linux kernel security is that there’s no such thing as a free lunch. Keeping up to date on the latest upstream kernel will generally net all the bug fixes that have been created thus far, but with it of course brings completely new features, new code, new bugs, and new attack surface. The majority of vulnerabilities in the Linux kernel are ones that have been released just recently, something any honest person active in kernel development can attest to.
Although, stable kernels do have more hardening features.
It’s a hard decision.
LTS kernels have less hardening features and not all bug fixes are backported but it has less attack surface and potentially less chance of having bugs.
Stable kernels have more hardening features and all bug fixes but more attack surface and more bugs.
Let’s use LTS kernels instead. For more stability. Something good that
works is better than something “perfect” constantly breaking.