In this tutorial we are going to harden the Raspberry Pi’s Linux kernel using the dappersec. From https://dapperlinux.com/index.html:
“Dapper Secure Kernel Patchset is a continuation of the Grsecurity patchset, and is forwarded ported to the latest Linux kernel release, along with recent stable kernel releases. Dapper Secure Kernel Patchset is free and open source software, and provided to the community so they can patch and build their own hardened kernels.”
We are going to use the older 4.9.x rpi kernel for this to work as the new 4.14.x kernel does not have any dappersec patches available (yet). Compiling the linux kernel will take some time depending on your processor speed, let us now download the necessary tools to build the kernel.
We need to download and install git, the rpi’s cross compilation tools. Of course we need to download and verify the dappersec patches. Note that we need more free space to build and compile the linux kernel.
Download and install git
$ sudo apt update
$ sudo apt install git bc
Cross-compiling (to make things faster)
Download and install the toolchain
Download and install git
$ git clone https://github.com/raspberrypi/tools ~/tools
Set the $PATH environment in bash on 32-bit systems
Download and install git
echo PATH=\$PATH:~/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian/bin >> ~/.bashrc
source ~/.bashrc
Set the $PATH environment in bash on 64-bit systems
Download and install git
echo PATH=\$PATH:~/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin >> ~/.bashrc
source ~/.bashrc
There are a lot of branches in the rpi’s linux kernel.
https://github.com/raspberrypi/linux/branches/stale?page=3
Checkout the raspberrypi linux branch 4.9.y (Try also the 4.9.y-stable)
Download and install git
$ git clone -b rpi-4.9.y https://github.com/raspberrypi/linux
Note: The 4.9.y branch is EoL (End-of-Life), it is not being maintained anymore. We are just going to demonstrate that the dappersec can be used to harden the Pi's Linux kernel, production use at your own risk!
Download the dappersec patches for 4.9.x:
https://github.com/dapperlinux/dapper-secure-kernel-patchset-stable/releases
Verify the file using PGP.
Patch the rpi linux kernel:
Download and install git
$ cd linux && cat ../dapper-secure-kernel-patchset-4.9.80-2018-05-18.patch| patch -p1
Patch the bug in: the bug in rt8818: https://github.com/abperiasamy/rtl8812AU_8821AU_
Download and install git
add the __no_cons; in the file include/hal_intf.h around the line c2h_id_filter c2h_id_filter_ccx
add the __no_const; in the file rtw_io.h below the text void(*_write_port_cancel)(struct intf_hdlm *pintfhl);
Configure the new kernel:
Download and install git
$ make menuconfig
Enable/Disable the following:
ENABLE GRSEC
ENABLE APPARMOR SUPPORT
ENABLE OLD_ARM_USERLAND
DISABLE PAX_SIZE_OVERFLOW
DISABLE MPROTECT
Start building the kernel (This will take a while, in my case two hours.):
Download and install git
$ make -j4 ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- zImage modules dtbs
Install to a directory:
Download and install git
$ mkdir modules
$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=./modules
Prepare the file for distribution:
Create a new bash script and execute it.
Download and install git
#!/bin/bash
KERNEL=kernel7
mkdir boot
cp arch/arm/boot/zImage boot/$KERNEL.img
cp arch/arm/boot/dts/*.dtb boot/
mkdir overlays
cp arch/arm/boot/dts/overlays/*.dtb* boot/overlays/
cp arch/arm/boot/dts/overlays/README boot/overlays/
Backup your Pi’s “boot” directory and “/lib/modules” directory.
Copy our generated files for the kernel and modules, use midnight commander if you do not have GUI.
Install the paxctl and other PaX applications.
Disable MPROTECT on some applications that has issues with it:
Download and install git
$ sudo paxctl -cm /usr/bin/firefox
$ sudo paxctl -cm `which libarm.so`
Reboot your Pi
Download and install git
$ sudo reboot
If your Pi booted fine, congratulations!
Download and install git
$ uname -a
Linux raspbian 4.9.80-dappersec-v7+ #13 SMP Mon Jun 11 17:09:35 +08 2018 armv7l GNU/Linux
I tested this on Raspberry Pi 2 Model B.
It took me 13 times before succesfully booting the Pi!
If not, try to disable some GRsecurity patches and recompile the kernel.
Your Pi’s kernel is now hardened but it is outdated (4.9.y)!
You may want to install and use AppArmor as an added security measure. TBD
Except where otherwise noted, this work is licensed under Creative Commons Attribution-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-sa/4.0/).
I hope that this post is useful to you, if you liked this post you may support me via liberapay or patreon. Thank you for your support.
TBD: Screenshots and Log Files
References:
https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=215552&p=1325976#p1325976
https://www.raspberrypi.org/documentation/linux/kernel/building.md