Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardened Kernel Config File for Virtual Machines (VMs) ("cloud kernel") #25

Closed
adrelanos opened this issue Dec 28, 2019 · 6 comments
Closed

Hardened Kernel Config File for Virtual Machines (VMs) ("cloud kernel") #25

adrelanos opened this issue Dec 28, 2019 · 6 comments

Comments

@adrelanos
Copy link

adrelanos commented Dec 28, 2019
edited
Loading

A kernel config specialized for better security inside virtual machines is in development.

The development preview version can be found here:
https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-kernel/hardened-vm-kernel

This work is being done by @madaidan who also contributed pull requests to linux-hardened.

https://github.com/anthraxx/linux-hardened/pulls?utf8=%E2%9C%93&q=author%3Amadaidan

Discussions about the kernel config happen mostly in Whonix forums.

https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/214

The hardened kernel config was contributed by @madaidan to the @Whonix project but as the maintainer of Whonix I think that it is not the most suitable project to maintain a kernel config. It would be more impactful and would get more eyes on it if it was hosted here.

Therefore I am wondering if there is any chance you would accept a pull request for a hardened (VM) config file? Which folder would be suitable for such a config file?

@madaidan is also working on a hardened bare metal (i.e. non-VM) kernel config:
https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-kernel/hardened-host-kernel
@a13xp0p0v
Copy link
Owner

Hello @adrelanos,
I guess Whonix has a default and hardened config, am I right?
Is the difference between them documented anywhere?
We can take Whonix official configs to the config_files/distros/.
That's useful for a brief comparison of kernel hardening adoption by various Linux distributions.
There is also the config_files/links.txt file that describes how to get official configs from various distros.
Thanks!

@madaidan
Copy link
Contributor

madaidan commented Jan 5, 2020

The current Whonix default is the Debian default. It will be changed to the config mentioned in the post once it's finished.

@a13xp0p0v
Copy link
Owner

Ok.
So when it is finished, you are welcome to send me the pull request that

  • adds the official Whonix hardened config to config_files/distros/;
  • adds the corresponding info to config_files/links.txt.

@tsautereau-anssi
Copy link

@madaidan After reading your post on the linux-hardened repository, it seems you might be interested in contributing some of your changes to the CLIP OS kernel (see our current configuration here). If so, don't hesitate to open an issue, it would be much appreciated!

Thanks @msalaun-anssi for the heads-up ;)

@adrelanos
Copy link
Author

Created clipos/bugs#38 for it.

@msalaun-anssi msalaun-anssi mentioned this issue Jan 13, 2020
Open
@madaidan
Copy link
Contributor

@madaidan After reading your post on the linux-hardened repository, it seems you might be interested in contributing some of your changes to the CLIP OS kernel (see our current configuration here). If so, don't hesitate to open an issue, it would be much appreciated!

Sounds great. I'll see what I can do.

@adrelanos adrelanos mentioned this issue Mar 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@a13xp0p0v @adrelanos @tsautereau-anssi @madaidan