1
0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-22 17:21:34 -05:00

Compare commits

...

4 Commits

Author SHA1 Message Date
e754f3a5eb
ld.preload path does not needed to be hardcoded
Signed-off-by: Tommy <contact@tommytran.io>
2024-02-27 00:19:46 -07:00
3ec705b520
Remove extra_latent_entropy from karg file
Signed-off-by: Tommy <contact@tommytran.io>
2024-02-26 23:38:22 -07:00
6f0bf8d8a7
Implement hardened_malloc, rename to x86_64-v3
Signed-off-by: Tommy <contact@tommytran.io>
2024-02-26 23:36:13 -07:00
3cb35c79d5
Remove extra_latent_entropy
Signed-off-by: Tommy <contact@tommytran.io>
2024-02-26 21:00:56 -07:00
7 changed files with 64 additions and 8 deletions

View File

@ -28,7 +28,6 @@
"ia32_emulation=0",
"page_alloc.shuffle=1",
"randomize_kstack_offset=on",
"extra_latent_entropy",
"debugfs=off"
]
},

View File

@ -208,5 +208,4 @@ kernel_arguments:
- ia32_emulation=0
- page_alloc.shuffle=1
- randomize_kstack_offset=on
- extra_latent_entropy
- debugfs=off

View File

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF/La4cBEADGUgoiPUJcEs0DRpWgmmpnMtgRxOiqT4b2R1d9cwtWpMOqQ3eN
OJqSBdzmN+aNwt61XWi4MUAseN5O3L3C+UXIk8HptOmalNySSHcGXk6Kn250Tmy5
O+ZGHlPng1zqOMBBZs1kNYw9aXuxQFCRk1rfFcePreyF+rHuBx0K2EGJPQ7udEf0
znq8gRZ29wFz3TzqGmKVv5cWkdGSUUkQc9ecZX89yBMfuqRXUG/ucojD0gLaQyTy
cjfS/0RE+Bje8Mpe8wswR+hg2qZDO+n9uMY/7dmdctKGU/kdxEBPqe0dak1sJ16M
0bawI+Rq/5RqPYwgEcfTg4VQotvpENUN/uAqi1b0IRLcPE46kXGpY9HIukFkzRKD
N1WMz8D6sVNimV99KucKvXzD/1VvyawChPWJsGCow4OoYrvHTU5f8J7PHStLQ61O
pVjWRbRonpjGBvz3hP0vkwCgy21AkYnRWaSKztwSkIJ36NCqsU24WIH1XgWzxsrf
kniQdXP6+sMCAxV+u6ig671BdtqYqaIGxb15j/wPXuju92myrTGa4rk0uUTur+VV
v0ethh3S8c9yisuRjkV+K/xpoJjGv7MsZf6hkcyIT826cv4Jr8LbtSMVD/pQB93i
olhizs8U0ph+RMnNPC4ZiroPgjDhYDZcIPuWw8WETHrUQDaEj6XgYm8P2QARAQAB
tEhEaXZlc3RlZCBSZWxlYXNlIFNpZ25pbmcgKDIwMjAgIzEpIDxzdXBwb3J0K3Jl
bGVhc2VzaWduaW5nQGRpdmVzdGVkLmRldj6JAk4EEwEIADgWIQRjlfyZEe3NYVhx
Lfe638q92/W2lAUCX8trhwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC6
38q92/W2lH49D/9F4f1pGf5ZWZjs7LiW4BQgAOx0NiKsvFTXBAhhUSJwTseB3vnK
ZGx3qoUCI0pk+4Z/YHhY91QTopJHcg/QW8tj/shjtRbzmfBB6dwFQkZtOHofXHMV
DowoY2MXZRd9dRIBhwLRvktZA9yKO1iH0M0vSqxuh8ALkvUlDgfzy0QBsAHjsUTB
FoxGemxT+70zDNx+xL0PusRA25AOn7EXzrjk6E1653KL1sRojqGZ/XzWWw+6dZyM
4Aap3CGrS7+YrXhJTMokOC/OfariDaN02YtlRizztWYEhkJ5SB0kIIlzgrGmY659
b0ENjjHAVK16LfRoDprb1PpC3du2QAVFtBRDqD2zwXBmELjyOpAnSYDuJVPgv4T8
Oty5be+U84lKVIgG5N60VrJzkwi5J+FSx2hTJl0C5BZyKChDXXvlnJI2Y4Qrwjyz
7mx5gjFLZra/yKrVKnfxp5AJ7DxHxNOYn0dcceWBBVC1L5sniim9z4Q5fNRErJT8
ayf77gecLuCVt+LhCH1rFejeIZrl0QEw+udrTYrPt3BWUK2OOIzF8PqLHfyUF+7W
ZuLgMxj0nGLMqOlPSszrQ6RxmL//GmXkmE3CeDNXV+7SpmMYe07pHzycg8+d/tNq
EajUfLQJqUYj3m51MnKW2r+QUKjkIYsn4iFfk+2aeY5HX1RalWJ7d4NHJQ==
=qpX+

View File

@ -0,0 +1,12 @@
[divested]
name=Divested RPM Repository
#baseurl=https://divested.dev/rpm/fedora
metalink=https://divested.dev/rpm/fedora/metalink.metalink
enabled=1
metadata_expire=7d
repo_gpgcheck=1
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-divested
skip_if_unavailable=True
includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc

2
kargs
View File

@ -14,4 +14,4 @@
# This file is just incase you want to quickly copy-paste the kernel arguments into `rpm-ostree kargs`
mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off
mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off

View File

@ -28,7 +28,6 @@
"ia32_emulation=0",
"page_alloc.shuffle=1",
"randomize_kstack_offset=on",
"extra_latent_entropy",
"debugfs=off"
]
},
@ -75,6 +74,18 @@
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json"
}
},
{
"path": "/etc/yum.repos.d/divested-release.repo",
"contents": {
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo"
}
},
{
"path": "/etc/pki/rpm-gpg/RPM-GPG-KEY-divested",
"contents": {
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested"
}
},
{
"overwrite": true,
"path": "/etc/chrony.conf",
@ -220,12 +231,12 @@
"systemd": {
"units": [
{
"contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools\nExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/sed -i 's/\\s+nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
"contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools\nExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld hardened_malloc qemu-guest-agent tuned unbound\nExecStart=/usr/bin/sed -i 's/\\s+nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
"enabled": true,
"name": "postinst.service"
},
{
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/echo \"libhardened_malloc.so\" | tee /etc/ld.so.preload\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
"enabled": true,
"name": "postinst2.service"
},

View File

@ -43,7 +43,7 @@ systemd:
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools
ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound
ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld hardened_malloc qemu-guest-agent tuned unbound
ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
ExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
ExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
@ -69,8 +69,10 @@ systemd:
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/echo "libhardened_malloc.so" | tee /etc/ld.so.preload
ExecStart=/usr/bin/systemctl enable --now firewalld
ExecStart=/usr/bin/firewall-cmd --lockdown-on
ExecStart=/usr/bin/systemctl --no-block reboot
[Install]
WantedBy=multi-user.target
@ -168,6 +170,12 @@ storage:
- path: /etc/docker/daemon.json
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json
- path: /etc/yum.repos.d/divested-release.repo
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo
- path: /etc/pki/rpm-gpg/RPM-GPG-KEY-divested
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested
- path: /etc/chrony.conf
contents:
source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf
@ -266,5 +274,4 @@ kernel_arguments:
- ia32_emulation=0
- page_alloc.shuffle=1
- randomize_kstack_offset=on
- extra_latent_entropy
- debugfs=off