Just asked https://github.com/anthraxx/linux-hardened/pull/19#issuecomment-568789370
1 Like
Better to check proc ipv6 setting?
1 Like
You mean settings in /proc/sys/net/ipv6/? That directory doesn’t exist with the hardened kernel.
1 Like
It might be better to use the number of cores + 1 with the -j option when compiling the kernel instead of just the number of cores although there seems to be some disagreement on this.
time - How to speed up Linux kernel compilation? - Stack Overflow
The best results are often achieved using the number of CPU cores in the machine + 1; for example, with a 2-core processor run make -j3
https://wiki.gentoo.org/wiki/Kernel/Configuration#Build
Add the option
-j(<NUMBER_OF_CORES> + 1). For example, a dual core processor contains two logical cores plus one (2 + 1):
We can change make -j $(nproc) to make -j $(($(nproc) + 1))
1 Like
Then that’s a good test. Nonexistence is good for testing this.
1 Like
One of the things that take up the longest compilation time are networking stuff which have mostly been untouched.
We should figure out exactly which networking and netfilter options we need and remove unused ones.
For example, I doubt we need things like IPVS, vsockets or CONFIG_NF_CONNTRACK_H323 which allows us to configure iptables rule for some VoIP protocol. There’s also a bunch of network packet schedulers, none of which are being used.
1 Like
I tested it and compilation takes 77 minutes for me. This is still far too slow. We need to cut down more modules. Development would also greatly speed up if I could compile and test the kernel quicker.
Should CONFIG_SWAP be disabled? I don’t know Whonix’s stance on swap now that GitHub - Kicksecure/swap-file-creator: Adds encrypted swap file to the system - for better protection of locally stored data and to aid environments with low RAM. https://www.kicksecure.com/wiki/swap-file-creator is a thing.
1 Like
The linux-hardened patches work flawlessly with the kernel sources from kernel.org but it has tons of errors with the debian kernel sources. It might be better to just use the sources from kernel.org and copy/paste the debian packaging from the debian sources.
1 Like
Actually, we won’t even need to do that. The make deb-pkg command is what generates the debian folder.
1 Like
I don’t know what CONFIG_SWAP does but swap file is unfortunately required due to swap - swap file - Whonix-Gateway freezing during apt-get dist-upgrade - encrypted swap-file-creator. I preferred if avoidable. Not nice since it makes the gateway boot slower.
1 Like
CONFIG_SWAP is what it sounds like, support for swap files.
1 Like
madaidan via Whonix Forum:
The linux-hardened patches work flawlessly with the kernel sources from kernel.org but it has tons of errors with the debian kernel sources. It might be better to just use the sources from kernel.org and copy/paste the debian packaging from the debian sources.
Yes. Could we even git clone linux-hardened and copy over Debian
packaging files? That previously failed for some reason?
I guess the Debian packaging files would not change much if kernel
sources are updated but I could be ignorant about some complexity.
Does linux-hardened offer signed git commits or even better signed git
tags? If yes, that would be possible (a secure way).
We would need to understand why Debian patches the Linux kernel. They
have a ton of patches. The list of patches is here:
Could you have a look please?
1 Like
It’s far easier just to download a tarball from kernel.org and apply the patch. That’s how it’s meant to be done.
We don’t even need to copy over anything:
Just running make deb-pkg in the directory that contains the kernel source is enough.
All commits are signed Commits · anthraxx/linux-hardened · GitHub
Most are fixes or extra features. There are a few security features but these are all part of linux-hardened anyway.
I’ve looked through them and none seem important for us.
There’s a short description of them at debian/patches/series · master · Debian kernel team / linux · GitLab
1 Like
I got the 4.19.91 kernel source from kernel.org, applied the linux-hardened patch, compiled using make deb-pkg and it works perfectly.
Should we be using LTS or stable kernels?
1 Like
Probably stable more secure as not all security bugs are properly backported. Don’t have reference for that at hand but @HulaHoop might have.
1 Like
Sounds awesome!
1 Like
In theory (without knowing where to find documentation or source code) It could e swap partition or something different too, unrelated to swap files.
1 Like