kernel recompilation for better hardening

Just asked https://github.com/anthraxx/linux-hardened/pull/19#issuecomment-568789370

1 Like

https://github.com/Whonix/whonix-firewall/pull/3

1 Like

Better to check proc ipv6 setting?

1 Like

You mean settings in /proc/sys/net/ipv6/? That directory doesn’t exist with the hardened kernel.

1 Like

It might be better to use the number of cores + 1 with the -j option when compiling the kernel instead of just the number of cores although there seems to be some disagreement on this.

time - How to speed up Linux kernel compilation? - Stack Overflow

The best results are often achieved using the number of CPU cores in the machine + 1; for example, with a 2-core processor run make -j3

https://wiki.gentoo.org/wiki/Kernel/Configuration#Build

Add the option -j(<NUMBER_OF_CORES> + 1) . For example, a dual core processor contains two logical cores plus one (2 + 1):

We can change make -j $(nproc) to make -j $(($(nproc) + 1))

1 Like

Then that’s a good test. Nonexistence is good for testing this.

1 Like

How is Check for /proc/sys/net/ipv6/ instead · madaidan/whonix-firewall@5cb824b · GitHub?

1 Like

One of the things that take up the longest compilation time are networking stuff which have mostly been untouched.

We should figure out exactly which networking and netfilter options we need and remove unused ones.

For example, I doubt we need things like IPVS, vsockets or CONFIG_NF_CONNTRACK_H323 which allows us to configure iptables rule for some VoIP protocol. There’s also a bunch of network packet schedulers, none of which are being used.

1 Like

I tested it and compilation takes 77 minutes for me. This is still far too slow. We need to cut down more modules. Development would also greatly speed up if I could compile and test the kernel quicker.

Should CONFIG_SWAP be disabled? I don’t know Whonix’s stance on swap now that GitHub - Kicksecure/swap-file-creator: Adds encrypted swap file to the system - for better protection of locally stored data and to aid environments with low RAM. https://www.kicksecure.com/wiki/swap-file-creator is a thing.

1 Like

The linux-hardened patches work flawlessly with the kernel sources from kernel.org but it has tons of errors with the debian kernel sources. It might be better to just use the sources from kernel.org and copy/paste the debian packaging from the debian sources.

1 Like

Actually, we won’t even need to do that. The make deb-pkg command is what generates the debian folder.

1 Like

I don’t know what CONFIG_SWAP does but swap file is unfortunately required due to swap - swap file - Whonix-Gateway freezing during apt-get dist-upgrade - encrypted swap-file-creator. I preferred if avoidable. Not nice since it makes the gateway boot slower.

1 Like

CONFIG_SWAP is what it sounds like, support for swap files.

1 Like

madaidan via Whonix Forum:

The linux-hardened patches work flawlessly with the kernel sources from kernel.org but it has tons of errors with the debian kernel sources. It might be better to just use the sources from kernel.org and copy/paste the debian packaging from the debian sources.

Yes. Could we even git clone linux-hardened and copy over Debian
packaging files? That previously failed for some reason?

I guess the Debian packaging files would not change much if kernel
sources are updated but I could be ignorant about some complexity.

Does linux-hardened offer signed git commits or even better signed git
tags? If yes, that would be possible (a secure way).

We would need to understand why Debian patches the Linux kernel. They
have a ton of patches. The list of patches is here:

Could you have a look please?

1 Like

It’s far easier just to download a tarball from kernel.org and apply the patch. That’s how it’s meant to be done.

We don’t even need to copy over anything:

Just running make deb-pkg in the directory that contains the kernel source is enough.

All commits are signed Commits · anthraxx/linux-hardened · GitHub

Most are fixes or extra features. There are a few security features but these are all part of linux-hardened anyway.

I’ve looked through them and none seem important for us.

There’s a short description of them at debian/patches/series · master · Debian kernel team / linux · GitLab

1 Like

I got the 4.19.91 kernel source from kernel.org, applied the linux-hardened patch, compiled using make deb-pkg and it works perfectly.

Should we be using LTS or stable kernels?

1 Like

Probably stable more secure as not all security bugs are properly backported. Don’t have reference for that at hand but @HulaHoop might have.

1 Like

Sounds awesome!

1 Like

In theory (without knowing where to find documentation or source code) It could e swap partition or something different too, unrelated to swap files.

1 Like