unredacted/linux-hardened
2
1
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
No description
45 commits 1 branch 2 tags 478 KiB
  • Shell 64.5%
  • Python 32.3%
  • Dockerfile 3.2%
Find a file
Exact
forgejo-runner 4d7a978983 publish: v7.0.10-hardened1
2026-05-27 04:02:48 +00:00
.forgejo/workflows publish.yml: download release assets via browser_download_url 2026-05-26 23:00:57 -05:00
build build-debs.sh: emit stable meta-packages (Batch H) 2026-05-26 18:09:31 -05:00
configs configs: reconcile overlay against linux-hardened 7.0.9 (Batch I, I7) 2026-05-26 20:11:53 -05:00
containers Dockerfile.debian-trixie-amd64: liblz4-tool -> lz4 2026-05-25 19:37:37 -05:00
docs fastly-config.md: write VCL as snippets, fix beresp.url -> bereq.url 2026-05-26 22:32:21 -05:00
keys Pin upstream signature-verification keys 2026-05-25 18:30:51 -05:00
releases publish: v7.0.10-hardened1 2026-05-27 04:02:48 +00:00
shim Phase 0 scaffold for the linux-hardened Debian build pipeline 2026-05-25 01:48:32 -05:00
tools repro-check + prune: implement the stubbed stages (Batch K) 2026-05-26 18:18:21 -05:00
.gitignore Gitignore GPG lockfiles 2026-05-25 18:31:28 -05:00
README.md docs: drop read-gate architecture, publish apt key fingerprint, bump examples 2026-05-26 22:17:01 -05:00
SECURITY.md docs: drop read-gate architecture, publish apt key fingerprint, bump examples 2026-05-26 22:17:01 -05:00

README.md

linux-hardened

Hardened Linux kernel builds packaged as .deb for Debian (and later Ubuntu). Tracks anthraxx/linux-hardened upstream and publishes through a Forgejo Debian registry fronted by Fastly.

Distributed by Unredacted a 501(c)(3) nonprofit.

Status

Phase 0: repository scaffold. No published packages yet.

What this kernel changes

On top of Debian's stock kernel, this build applies the anthraxx/linux-hardened patch set plus a configuration overlay (configs/hardened-overlay.config; per-symbol rationale in configs/POLICY.md). The hardening falls into four buckets: memory-safety (heap and stack zero-init, hardened usercopy, FORTIFY_SOURCE, slab freelist hardening, KASLR, KFENCE); integrity (W^X for kernel and module text, forced module-signature verification, integrity-mode lockdown under Secure Boot); attack-surface reduction (/dev/mem, /dev/kmem, /proc/kcore, kexec, and several legacy syscalls removed); and restrictive sysctl defaults (unprivileged user namespaces off; perf, BPF, and ptrace restricted to root).

That hardening comes with friction worth knowing before you install:

  • Out-of-tree modules (NVIDIA, ZFS, VirtualBox) must be rebuilt against our headers and signed. DKMS does this automatically with a machine-local MOK key you enroll once at reboot.
  • Rootless containers (Docker, Podman), the Chromium sandbox, Snap, and Flatpak depend on unprivileged user namespaces, which are off by default. Re-enable them via the opt-in in docs/users/incompatibilities.md.
  • kexec/kdump, hibernation, and /dev/mem-based tools do not work.
  • Every module must be signed. An unsigned out-of-tree module will not load (MODULE_SIG_FORCE).

Per-symptom workarounds are in docs/users/incompatibilities.md. Keep your distro's stock kernel installed as a recovery fallback; both coexist and GRUB lists both.

Layout

Path Contents
build/ Kernel build pipeline: fetch, patch, configure, build, sign
tools/ Publish, prune, reproducibility check
configs/ Kernel .config overlays and the hardening-policy doc
containers/ Pinned build environments per target
keys/ Pinned public keys for upstream source verification
.forgejo/workflows/ CI definitions
docs/users/ End-user install, Secure Boot, pinning, recovery
docs/operators/ Runner, signing-key, Fastly, reverse-proxy setup
shim/ UEFI shim build (currently blocked; signing key isn't HSM-backed)
releases/ Per-release manifests

Installation

Once Phase 1 publishes packages, end users follow docs/users/install.md. End-user URL: https://repo.unredacted.org/debian (fronted by Fastly), or directly from the origin at https://git.unredacted.org/api/packages/unredacted/debian.

The apt-repo signing key (signs InRelease) has fingerprint:

6E229B1A2E3594F8CAE32393A2907910E8020EB0

That's the exact string gpg --show-keys prints for repository.key. Verify it against this value and the copy at https://unredacted.org before trusting the repo. This is the apt-repo key, distinct from the kernel + module Secure Boot signing key (whose cert fingerprint ships in each release's notes).

License

GPLv2. See LICENSE.

Security

Funding

Sustained by the unredacted.org 501(c)(3). Donations fund the engineering hours behind the CVE SLA; details and how to give in docs/users/donate.md.

Reproducibility

Each release ships a manifest.json recording every input hash and the container image digest used to build it. The byte-identical rebuild contract applies to the unsigned .debs; the signing layer is attested separately by the cert fingerprint in the manifest. Independent rebuild instructions live in docs/users/building-from-source.md.

Authorship and review

Substantial portions of the build pipeline, scripts, and documentation in this repository were co-authored with Claude (Anthropic) during pair-programming sessions. Each commit's Co-Authored-By: trailer records the model and the human committer responsible for review. Signing keys, infrastructure secrets, and final-merge authority remain in human hands.