Where to find such configs

newcool · March 13, 2025, 11:55am

I was looking at https://docs.clip-os.org/clipos/kernel.html#configuration. But I couldn’t find configs such as: CONFIG_BPF_JIT_ALWAYS_ON etc set in kicksecure’s security-misc where I can find these configs if they even exist in Kicksecure?

arraybolt3 · March 13, 2025, 2:24pm

What you’re looking at are kernel build-time settings. These aren’t configurable by the end user, because those settings determine what code is compiled into the kernel binary and how it will operate.

Kicksecure just uses the standard Debian kernel, so the settings we have enabled are identical to the ones Debian uses. If you want to see the exact settings the kernel uses, elevate to root using sudo -i, then change to the /boot directory with cd /boot. Then open the config record for the running kernel with nano config-$(uname -r). You can then search for specific settings in the file by pressing Ctrl+W, typing a search term, and pressing Enter.

Doing this exact search for CONFIG_BPF_JIT_ALWAYS_ON, I see the following in the config record for kernel 6.1.0-31-amd64:

# CONFIG_BPF_JIT_ALWAYS_ON is not set

If you really want to change these settings, you will have to build the kernel yourself. How to do so is a bit out-of-scope for these forums, but Debian Linux Kernel Handbook should have the info needed to do that. Keep in mind that running and maintaining a custom kernel is not easy and is very much not recommended unless you know what you’re doing.

newcool · March 13, 2025, 6:32pm

Thanks a lot for your reply.

Are there any plans for Kicksecure to start maintaining their own hardened kernel build? If no, are you aware of any projects that are doing so that is actively maintained? Because the only project I know CLIP OS is archived.

Patrick · March 13, 2025, 11:25pm

newcool · March 14, 2025, 6:00pm

Thanks for the link and sorry for not searching thoroughly.

I see that CONFIG_BPF_JIT_ALWAYS_ON is set here

github.com/Kicksecure/hardened-kernel

usr/share/hardened-kernel/debugging-config

0e1d84060


      
          
          CONFIG_PROC_PAGE_MONITOR=y
          CONFIG_CHECKPOINT_RESTORE=y
          CONFIG_MEM_SOFT_DIRTY=y
          
          CONFIG_VIDEO_VIVID=m
          
          CONFIG_PROC_VMCORE=n
          
          CONFIG_BPF_SYSCALL=y
          CONFIG_BPF_JIT_ALWAYS_ON=y
          CONFIG_CGROUP_BPF=y
          CONFIG_XDP_SOCKETS=y
          CONFIG_STREAM_PARSER=y
          CONFIG_BPF_STREAM_PARSER=y
          
          CONFIG_DEVMEM=y
          CONFIG_STRICT_DEVMEM=y
          CONFIG_IO_STRICT_DEVMEM=y
          
          CONFIG_PANIC_ON_OOPS=n

but when arraybolt3 checked it says it is not set? Sorry if answer is obvious.

arraybolt3 · March 14, 2025, 6:32pm

The hardened-kernel article mentions near the top that it is for developers only. It’s rather outdated, the last kernel it worked with was a 4.19-series kernel from what I gather. It’s prior work that was done for maintaining our own hardened kernel build, but it’s not something that was fully published or that is supported to my awareness.

Patrick · March 15, 2025, 4:21am

The answer is in the file name.

debugging-config

A debugging, non-default configuration.