Anyone using the Hardened kernel ? I need some advice

Since under Arch/EndeavourOS I get many kernel updates I thought I should learn how do system maintenance. I mean uninstall old kernels to save disk space. I didn’t find any useful info about that but I found this Wiki which is about kernels. The wiki says this

Hardened — A security-focused Linux kernel applying a set of hardening patches to mitigate kernel and userspace exploits. It also enables more upstream kernel hardening features than linux.

Q1)Nftables is already enabled on my system. There are no services listening on any port so all ports are closed. Will installing this kernel make my system even more secure ?

Q2) When I installed the LTS kernel I used the command

sudo pacman -S linux-lts linux-lts-headers

So there was this “linux-lts-headers” after linux-lts. When I visit the hardened kernel page I see only “linux-hardened”. No mention of headers. So in case of the hardened kernel its only this ?

sudo pacman -S linux-hardened

There is a matching headers package:

Repository      : extra
Name            : linux-hardened-headers
Version         : 5.12.14.hardened1-1
Description     : Headers and scripts for building modules for the Security-Hardened Linux kernel
Architecture    : x86_64
URL             : https://github.com/anthraxx/linux-hardened
Licenses        : GPL2
Groups          : None
Provides        : None
Depends On      : None
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 22.28 MiB
Installed Size  : 125.14 MiB
Packager        : Levente Polyak <anthraxx@archlinux.org>
Build Date      : Thu 01 Jul 2021 12:41:06 PM CDT
Validated By    : MD5 Sum  SHA-256 Sum  Signature

I just installed the hardened kernel using the command

sudo pacman -S linux-hardened linux-hardened-headers 

I will start using it as soon as I reboot. Never used this kernel so don’t know what to expect and even if this kernel makes my system more secure there is no way for an average home user like me to know that coz whatever happens will be happening in the background.

I’m using it…
Noticed that my folder mapping using samba won’t work using SMB 2.0, so you need to change it to samba 3.0 inside the fstab…

Useful info about kernel hardened:
https://wiki.archlinux.org/title/Security#Kernel_hardening

[marcelo@eos ~]$ uname -a
Linux eos 5.12.17-hardened1-1-hardened #1 SMP PREEMPT Sat, 17 Jul 2021 19:22:25 +0000 x86_64 GNU/Linux

Wow this kernel has lots of security features most of which I have never heard before. I will just Google and try to learn. I don’t use Samba or any of the following so I don’t think I will face any issues.

However, it should be noted that several packages will not work when using this kernel. For example:

If you use an out-of-tree driver such as NVIDIA, you may need to switch to its DKMS package.

Also, at least as late as Gnome 3.36, Arch Hardened was not compatible with all features in Gnome. Most notable you could not change user account setting (portrait etc) with a hardened kernel due permission issues.

I am using XFCE. I will use this kernel for a whole day & write back my experience.

2 Likes

telegram-desktop also complains a little bit about this kernel, but it works
First two times I launched it closed… but now it’s working, not sure what happened during the 1st two attempts…
I guess applications that needs to access real-time priority for thread will get into problems, but this is only a speculation

Edit: Launched using the non hardened kernel and got the same error regarding the real-time priority, so I guess the above speculation is not accurate…

You can find the source code page easily with command:

  eos-pkginfo linux-hardened

I just tried that but frankly a knowledgeable user needs to translate that into English so that a novice can understand but I must say that after reading what others have said so far I am able to understand that this kernel is pretty restrictive in nature which is very nice. Its exactly what I want. If using the hardened kernel provides me the security which equivalent to OpenBSD or HardenedBSD its a really good thing. I have used OpenBSD in the past but problem is its designed for servers & to use it as a desktop os one needs to do a ridiculous amount of tweaking.

Used the hardened kernel for a whole day. No issues whatsoever. This is going to be my default kernel from now on.