Not sure that will be sufficient. Package name, kernel headers package, dunno what else could be important.
A deb isn’t a deb repository which is a bit more effort to create.
Signed debs however would also be an option.
Take two:
Probably not going to fly:
Then it’s game over for the whole initiative. There isn’t an obvious way to convert arch packages to debs either.
Daniel might continue development of linux-hardened again alongside GrapheneOS (like how it was before).
This means it will be revived and new features are going to be actively developed again.
Yay. I thought he gave up on it from his comments.
hi guys , mentioned about IMA Integrity Measurement Architecture
allows greater security , can be automated with one click ,
kernel > ima_policy=appraise_tcb ima_appraise=fix ima_policy=tcb ima_hash=sha512 evm=fix
Debian project, with ima-evm, whonix could include this security
Sony contributes more safeguards against debugFS abuse from userland. The KConf becomes effective in more modern versions.
We’ve already mitigated exploiting this by non-kernel attackers via apparmor-profile-everything and hide-hardware-info’s sysfs restrictions. However, we can also disable
CONFIG_INTEL_RAPL
CONFIG_PERF_EVENTS_INTEL_RAPL
in the kernel configuration. We could probably disable the entire powercap interface as future-proofing against other variations of this type of sidechannel attack but this may be too extreme and hurt usability (depending on how frequently it’s used, I’m not sure).
Probably should not break CPU temperature control. Related:
GrapheneOS now enables CONFIG_FORTIFY_SOURCE_STRICT_STRING in production builds:
This is a feature from linux-hardened that I added back to GrapheneOS which makes the FORTIFY_SOURCE feature more strict and better at catching buffer overflows but it wasn’t intended for use in end-user builds, only for bug finding as it can cause false positives so I didn’t enable it before.
We should test enabling this too and see if it works. CLIP OS only enables it in debug builds.
GCC plugins (including STRUCTLEAK, STACKLEAK, RANDSTRUCT and others) may get removed because upstream is being pedantic about a single second difference.
https://lkml.org/lkml/2020/11/28/207
https://lkml.org/lkml/2020/12/1/1832
Of course Linux maintains century old drivers that nobody ever uses but when it comes to actually important security features, they get rid of them at any chance they get. This is ridiculous and quite worrying.
I am baffled by Kees’ reply who’s supposed to be the checks and balance on stupid stuff like that.
Merged and uploaded to all repositories.