msalaun-anssi
commented
4 years ago To complete @tsautereau-anssi's comment, the kernel configuration is split in sets and selected with the clipos-kernel_compute_configuration() helper.
Open adrelanos opened 4 years ago
msalaun-anssi
commented
4 years ago To complete @tsautereau-anssi's comment, the kernel configuration is split in sets and selected with the clipos-kernel_compute_configuration() helper.
madaidan
commented
4 years ago Where are the sets located? is it https://github.com/clipos/src_platform_config-linux-hardware/tree/master/kernel_config?
tsautereau-anssi
commented
4 years ago Where are the sets located? is it https://github.com/clipos/src_platform_config-linux-hardware/tree/master/kernel_config?
Yes, exactly. And as pointed out by @msalaun-anssi, these sets are then handled at build-time by the clipos-kernel_compute_configuration() helper, which itself calls our make-config.sh script.
msalaun-anssi
commented
4 years ago The documentation for the kernel config is available here: https://docs.clip-os.org/clipos/kernel.html
madaidan
commented
4 years ago Would you also accept kernel patches or should I just send them to linux-hardened?
tsautereau-anssi
commented
4 years ago We do accept kernel patches. However, if you think your patches can benefit other people, it's probably a better idea to at least try to get them merged into linux-hardened first.
madaidan
commented
4 years ago Alright, I'll just keep sending them to linux-hardened then. I've also created a few kernel config/sysctl changes https://github.com/clipos/src_platform_config-linux-hardware/pulls
A kernel config specialized for better security inside virtual machines is in development.
The development preview version can be found here: https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-kernel/hardened-vm-kernel
This work is being done by @madaidan who also contributed pull requests to linux-hardened.
https://github.com/anthraxx/linux-hardened/pulls?utf8=%E2%9C%93&q=author%3Amadaidan
Discussions about the kernel config happen mostly in Whonix forums.
https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/214
The hardened kernel config was contributed by @madaidan to the @Whonix project but as the maintainer of Whonix I think that it is not the most suitable project to maintain a kernel config. It would be more impactful and would get more eyes on it if it was hosted here.
Therefore I am wondering if there is any chance you would accept a pull request for a hardened VM config file? Which folder would be suitable for such a config file?
@madaidan is also working on a hardened bare metal (i.e. non-VM) kernel config: https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-kernel/hardened-host-kernel