linux-hardened icon indicating copy to clipboard operation
linux-hardened copied to clipboard
verified publisher icon anthraxx

Backporting security features to LTS kernels

Open madaidan opened this issue 5 years ago • 2 comments

Stable kernels have various security features that LTS kernels don't have such as lockdown, SafeSetID, page allocator freelist randomization, init_on_alloc etc. I think linux-hardened should backport/reimplement those security features in LTS kernels.

I can contribute many of these myself if you're interested. I've created some patches already.

This would be especially useful for Whonix's hardened-kernel as we're using LTS kernels for greater stability and less attack surface.

madaidan avatar Mar 16 '20 21:03 madaidan

5.11 rc out and hardened still hasn't caught up to 5.10.

What's the point of using a kernel patch / more secure configuration if it's left with security holes for so long and so often? 5.9 is EOL, and that's even worse, but it would still be vulnerable if it was "supported" upstream. We need to be on the latest kernel if we want the fixes.

hyder365 avatar Dec 29 '20 22:12 hyder365

There is a 5.10 branch for quite a while, you are free to easily use it to create your patch set file and also give feedback. However stop hijacking arbitrary threads.

anthraxx avatar Dec 30 '20 10:12 anthraxx