oholiab
commented
6 years ago So I'm pretty sure (although open to being corrected!) that this won't be high up the development roadmap for the actual SGOS team, but with their blessing I don't see why members of the community couldn't work on this.
It would have to come with the caveat that the grsecurity patchset isn't available for ARM, so the kernel hardening would need to be restricted to configuration available in the upstream kernel, but at least this should allow us to make some quick progress on more current kernels. Most of the SGOS specific tooling is written in Go which makes targeting other platforms super easy.
The only thing I think that requires some real thinking about if we decide to go down this path is making it explicitly clear that the platform will not have the same kernel security features and guarantees as the x86_64 version. Perhaps this could be achieved with a little bit of rebranding within the OS itself, e.g. calling it Subgraph Lite or something less worse.
@dma what do you think?
It would be great to have Subgraph available for ARM and single-board computers like the Raspberry Pi, even if it's a stripped-down version. There are several images available for the RPi with a focus on offensive security (e.g. Kali, Parrot) but there currently exist none with an emphasis on defense. Subgraph could fill this void. SBCs like the Raspberry Pi are frequently used for projects that are perpetually connected to the internet and I believe an image that can provide a secure default configuration would be in demand and appreciated by many.
(I posted this as a reply in issue #44 but not sure if it will be seen there, so feel free to close this one if it's unneeded).