I was looking at https://docs.clip-os.org/clipos/kernel.html#configuration
. But I couldn’t find configs such as: CONFIG_BPF_JIT_ALWAYS_ON
etc set in kicksecure’s security-misc
where I can find these configs if they even exist in Kicksecure?
What you’re looking at are kernel build-time settings. These aren’t configurable by the end user, because those settings determine what code is compiled into the kernel binary and how it will operate.
Kicksecure just uses the standard Debian kernel, so the settings we have enabled are identical to the ones Debian uses. If you want to see the exact settings the kernel uses, elevate to root using sudo -i
, then change to the /boot directory with cd /boot
. Then open the config record for the running kernel with nano config-$(uname -r)
. You can then search for specific settings in the file by pressing Ctrl+W, typing a search term, and pressing Enter.
Doing this exact search for CONFIG_BPF_JIT_ALWAYS_ON
, I see the following in the config record for kernel 6.1.0-31-amd64:
# CONFIG_BPF_JIT_ALWAYS_ON is not set
If you really want to change these settings, you will have to build the kernel yourself. How to do so is a bit out-of-scope for these forums, but Debian Linux Kernel Handbook should have the info needed to do that. Keep in mind that running and maintaining a custom kernel is not easy and is very much not recommended unless you know what you’re doing.
Thanks a lot for your reply.
Are there any plans for Kicksecure to start maintaining their own hardened kernel build? If no, are you aware of any projects that are doing so that is actively maintained? Because the only project I know CLIP OS is archived.
Thanks for the link and sorry for not searching thoroughly.
I see that CONFIG_BPF_JIT_ALWAYS_ON
is set here
but when arraybolt3 checked it says it is not set? Sorry if answer is obvious.
The hardened-kernel article mentions near the top that it is for developers only. It’s rather outdated, the last kernel it worked with was a 4.19-series kernel from what I gather. It’s prior work that was done for maintaining our own hardened kernel build, but it’s not something that was fully published or that is supported to my awareness.
The answer is in the file name.
debugging-config
A debugging, non-default configuration.