- Shell 66%
- Python 31%
- Dockerfile 3%
e0dad3d6b4
All checks were successful
validate / shellcheck (push) Successful in 14s
validate / yamllint (push) Successful in 12s
validate / pycompile (push) Successful in 3s
validate / config-diff-sanity (push) Successful in 3s
validate / no-duplicate-overlay-entries (push) Successful in 3s
validate / no-placeholder-digests (push) Successful in 3s
Lets us re-ship the same upstream kernel + hardened revision with packaging-only changes — e.g. picking up the new unredacted-hardened- defaults sidecar and the meta dependency, without waiting for a new upstream release. derive-version accepts an optional trailing .P on the tag and exports it as PACKAGING_REVISION (bash ERE has no non-capturing groups, so it's match group 4). fetch-sources still uses only kernel + hardened, so .P fetches the identical upstream; build-debs.sh appends ".P" to the .deb version (7.0.10-hardened1 -> 7.0.10-hardened1.1), which apt sees as an upgrade. The kernelrelease and package names are unchanged, so the rebuilt kernel upgrades in place. Plain vX.Y.Z-hardenedN tags are unaffected (no suffix appended). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .forgejo/workflows | ||
| build | ||
| configs | ||
| containers | ||
| docs | ||
| keys | ||
| releases | ||
| shim | ||
| tools | ||
| .gitignore | ||
| README.md | ||
| SECURITY.md | ||
linux-hardened
Hardened Linux kernel builds packaged as .deb for Debian (and later Ubuntu). Tracks anthraxx/linux-hardened upstream and publishes through a Forgejo Debian registry fronted by Fastly.
Distributed by Unredacted a 501(c)(3) nonprofit.
Status
Phase 0: repository scaffold. No published packages yet.
What this kernel changes
On top of Debian's stock kernel, this build applies the anthraxx/linux-hardened patch set plus a configuration overlay (configs/hardened-overlay.config; per-symbol rationale in configs/POLICY.md). The hardening falls into four buckets: memory-safety (heap and stack zero-init, hardened usercopy, FORTIFY_SOURCE, slab freelist hardening, KASLR, KFENCE); integrity (W^X for kernel and module text, forced module-signature verification, integrity-mode lockdown under Secure Boot); attack-surface reduction (/dev/mem, /dev/kmem, /proc/kcore, kexec, and several legacy syscalls removed); and restrictive sysctl defaults (unprivileged user namespaces off; perf, BPF, and ptrace restricted to root).
That hardening comes with friction worth knowing before you install:
- Out-of-tree modules (NVIDIA, ZFS, VirtualBox) must be rebuilt against our headers and signed. DKMS does this automatically with a machine-local MOK key you enroll once at reboot.
- Rootless containers (Docker, Podman), the Chromium sandbox, Snap, and Flatpak depend on unprivileged user namespaces, which are off by default. Re-enable them via the opt-in in docs/users/incompatibilities.md.
- kexec/kdump, hibernation, and
/dev/mem-based tools do not work. - Every module must be signed. An unsigned out-of-tree module will not load (
MODULE_SIG_FORCE).
Per-symptom workarounds are in docs/users/incompatibilities.md. Keep your distro's stock kernel installed as a recovery fallback; both coexist and GRUB lists both.
Layout
| Path | Contents |
|---|---|
build/ |
Kernel build pipeline: fetch, patch, configure, build, sign |
tools/ |
Publish, prune, reproducibility check |
configs/ |
Kernel .config overlays and the hardening-policy doc |
containers/ |
Pinned build environments per target |
keys/ |
Pinned public keys for upstream source verification |
.forgejo/workflows/ |
CI definitions |
docs/users/ |
End-user install, Secure Boot, pinning, recovery |
docs/operators/ |
Runner, signing-key, Fastly, reverse-proxy setup |
shim/ |
UEFI shim build (currently blocked; signing key isn't HSM-backed) |
releases/ |
Per-release manifests |
Installation
Once Phase 1 publishes packages, end users follow docs/users/install.md. End-user URL: https://repo.unredacted.org/debian (fronted by Fastly), or directly from the origin at https://git.unredacted.org/api/packages/unredacted/debian.
The apt-repo signing key (signs InRelease) has fingerprint:
6E229B1A2E3594F8CAE32393A2907910E8020EB0
That's the exact string gpg --show-keys prints for repository.key. Verify it against this value and the copy at https://unredacted.org before trusting the repo. This is the apt-repo key, distinct from the kernel + module Secure Boot signing key (whose cert fingerprint ships in each release's notes).
License
GPLv2. See LICENSE.
Security
- Contact:
security@unredacted.org. PGP key fingerprint will be added to SECURITY.md once generated. - Policy: SECURITY.md
- CVE response SLA: docs/users/cve-policy.md
Funding
Sustained by the unredacted.org 501(c)(3). Donations fund the engineering hours behind the CVE SLA; details and how to give in docs/users/donate.md.
Reproducibility
Each release ships a manifest.json recording every input hash and the container image digest used to build it. The byte-identical rebuild contract applies to the unsigned .debs; the signing layer is attested separately by the cert fingerprint in the manifest. Independent rebuild instructions live in docs/users/building-from-source.md.
Authorship and review
Substantial portions of the build pipeline, scripts, and documentation in this repository were co-authored with Claude (Anthropic) during pair-programming sessions. Each commit's Co-Authored-By: trailer records the model and the human committer responsible for review. Signing keys, infrastructure secrets, and final-merge authority remain in human hands.