Hello development folks,

while digging a bit deeper into Whonix and their security mechanisms, I recently came across three projects which I think might be useful for IPFire as well, since they improve system hardening and provide a rudimentary replacement for grsecurity, which we unfortunately had to drop due to licence issues a while ago.

These are in particular the Linux Kernel Runtime Guard (LKRG), which comes as a kernel module (not a kernel patchset) and seems to be actively maintained as there were some recent commits for supporting version 5.10. It's homepage can be found here: https://www.openwall.com/lkrg/

"tirdad" mitigates an information leak related to TCP ISNs, which might be dangerous for long- running cryptographic operations and to my surprise does not seem to be fixed in the mainline kernel. It is a module as well, and it's Whonix-related repository is available at https://github.com/Whonix/tirdad .

The same project also has a "security-misc" project (package?) available at https://github.com/Whonix/security-misc, which provides various security enhancements. Some of them landed in IPFire as well, some did not, so I thought it might be worth to have a look at.

Has anybody made some experience with those aside from Whonix? Thoughts/comments/opinions?

Thanks, and best regards, Peter Müller