Use hardened Linux Kernels from git

ArchEr9 · 2025-09-18 02:01:42

This is a followup question to my earlier post

There are Linux Hardened LTS Kernels available from the Git repository, anthraxx / linux-hardened. These include LTS Hardened kernels. Some of them are not available on Arch repositories or in AUR. If some of them are listed in AUR, then they are old, not been updated since 2024.

So if I wanted to use say the Linux Hardened LTS Kernel 6.12.x or Linux Hardened LTS Kernel 6.6.x how can it be done? Is there a way I can use pacman for this? i.e. use pacman to build the kernels as well as initramfs. The rationale for using pacman is so that I the associated hooks used to build Arch based initramfs are used.

The Git Repository, i.e. anthraxx / linux-hardened, is just what I know off. If there is some other Git repository that can be looked at it or some sourceforge repository that should be looked at, that also would do.

seth · 2025-09-18 07:43:24

https://wiki.archlinux.org/title/Arch_Linux_Archive
https://wiki.archlinux.org/title/Arch_build_system

Succulent of your garden · 2025-09-18 11:31:53

Also:

https://archlinux.org/packages/extra/x8 … -hardened/

https://wiki.archlinux.org/title/Kernel

Arch Wiki wrote:

Hardened — A security-focused Linux kernel applying a set of hardening patches to mitigate kernel and userspace exploits. It also enables more upstream kernel hardening features than linux.
https://github.com/anthraxx/linux-hardened || linux-hardened

But If I'm not wrong the package in extra repo is not using LTS.

Also I recommend to add the native Linux LTS kernel in your system as a backup, if by the hardening something doesn't works after an update, you can switch to normie LTS kernel to keep working until the hardened version gets fixed ^^

ArchEr9 · 2025-09-19 03:12:42

seth wrote:

https://wiki.archlinux.org/title/Arch_Linux_Archive

Isnt this for downgrading to an earlier version of packages?

seth wrote:

https://wiki.archlinux.org/title/Arch_build_system

I will have a look at this. Thanks.
Any tips, hints, suggestions before I get started on this? Some typically gotchas or pitfalls to avoid?

ArchEr9 · 2025-09-19 03:20:22

Succulent of your garden wrote:

Also:
https://archlinux.org/packages/extra/x8 … -hardened/
https://wiki.archlinux.org/title/Kernel
Arch Wiki wrote:
Hardened — A security-focused Linux kernel applying a set of hardening patches to mitigate kernel and userspace exploits. It also enables more upstream kernel hardening features than linux.
https://github.com/anthraxx/linux-hardened || linux-hardened
But If I'm not wrong the package in extra repo is not using LTS.

WAIT WHAT? The development on Kernel 6.12.x has stopped. Only the LTS Kernel 6.12.x is being patched by the Linux kernel team. If anthraxx/linux-hardened is not using the LTS Kernel then how is it getting in the patches incorporated into the 6.12 Kernel? Is it even incorporating those fixes into the 6.12.x Hardened kernel that it releases?

Succulent of your garden wrote:

Also I recommend to add the native Linux LTS kernel in your system as a backup, if by the hardening something doesn't works after an update, you can switch to normie LTS kernel to keep working until the hardened version gets fixed ^^

That is a great trip, thanks. This is a good suggestion, to help in determining if the kernel is causing some issues or unexpected or undesirable behaviors in some packages. If a package crashes or freezes then boot into the LTS kernel, without the hardening changes applied, and then test it out.

seth · 2025-09-19 08:08:02

Sorry, also completely missed the LTS part.
https://aur.archlinux.org/packages/linux-hardened-lts is orphaned but you can probably leverage the PKGBUILD resp. directly https://gitlab.archlinux.org/archlinux/ … type=heads and possibly older versions of https://gitlab.archlinux.org/archlinux/ … type=heads

Succulent of your garden · 2025-09-19 12:00:10

ArchEr9 wrote:

WAIT WHAT? The development on Kernel 6.12.x has stopped. Only the LTS Kernel 6.12.x is being patched by the Linux kernel team. If anthraxx/linux-hardened is not using the LTS Kernel then how is it getting in the patches incorporated into the 6.12 Kernel? Is it even incorporating those fixes into the 6.12.x Hardened kernel that it releases?

There are branches in git ^^ https://github.com/anthraxx/linux-hardened/branches
Also releases for different kernels ^^ https://github.com/anthraxx/linux-hardened/releases

As you can see the kernel in extra repo package is not LTS https://archlinux.org/packages/?name=linux-hardened and it's up to date as I can see.

ArchEr9 wrote:

That is a great trip, thanks. This is a good suggestion, to help in determining if the kernel is causing some issues or unexpected or undesirable behaviors in some packages. If a package crashes or freezes then boot into the LTS kernel, without the hardening changes applied, and then test it out.

Exactly! That's the reason why is a good idea to have a backup kernel ^^

Probably someone could mantain the hardened-LTS version in AUR, I can't ,I don't have the time,sniff. but if I have it, right now I would had been making the PKGBUILD

Last edited by Succulent of your garden (2025-09-19 12:02:35)

loqs · 2025-09-19 15:13:50

Succulent of your garden wrote:

Probably someone could mantain the hardened-LTS version in AUR

https://gitlab.archlinux.org/archlinux/ … ote_282113

Succulent of your garden · 2025-09-19 16:20:15

The gitlab discussion wrote:

This applies to the LTS kernels too. If a security fix in mainline doesn't apply cleanly to older branches, and no one steps up to do the work, it will often not be backported to any LTS kernels at all. The only way to get all the security fixes is to run the latest kernel at all times.

Can this be done ? I mean I was sure that LTS does have the security updates always. But this comment gives me doubt.

loqs · 2025-09-19 19:52:31

Succulent of your garden wrote:

Can this be done ? I mean I was sure that LTS does have the security updates always. But this comment gives me doubt.

https://lore.kernel.org/stable/?q=%22failed+to+apply%22

Succulent of your garden · 2025-09-19 22:27:04

But at least I think that those patches that are critical CVE are fixed in asap in any supported version right ? I mean those are emails troubleshooting the issue right ? Since the patching for some specific versions doesn't works so easily in some ocasions.

Last edited by Succulent of your garden (2025-09-19 22:28:44)

Arch Linux

#1 2025-09-18 02:01:42

Use hardened Linux Kernels from git

#2 2025-09-18 07:43:24

Re: Use hardened Linux Kernels from git

#3 2025-09-18 11:31:53

Re: Use hardened Linux Kernels from git

#4 2025-09-19 03:12:42

Re: Use hardened Linux Kernels from git

#5 2025-09-19 03:20:22

Re: Use hardened Linux Kernels from git

#6 2025-09-19 08:08:02

Re: Use hardened Linux Kernels from git

#7 2025-09-19 12:00:10

Re: Use hardened Linux Kernels from git

#8 2025-09-19 15:13:50

Re: Use hardened Linux Kernels from git

#9 2025-09-19 16:20:15

Re: Use hardened Linux Kernels from git

#10 2025-09-19 19:52:31

Re: Use hardened Linux Kernels from git

#11 2025-09-19 22:27:04

Re: Use hardened Linux Kernels from git

Board footer