{"id":21634073,"url":"https://github.com/bedrocksystems/linux-bhv-patches","last_synced_at":"2025-03-18T22:38:23.425Z","repository":{"id":109172529,"uuid":"513059541","full_name":"bedrocksystems/linux-bhv-patches","owner":"bedrocksystems","description":"This repository contains patches for the Linux kernel required for compatibility with the BlueRock Ultra Security System component.","archived":false,"fork":false,"pushed_at":"2025-01-23T12:52:00.000Z","size":1199,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-01-23T13:39:29.637Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bedrocksystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-12T08:26:14.000Z","updated_at":"2025-01-23T12:49:40.000Z","dependencies_parsed_at":"2023-12-27T11:49:31.549Z","dependency_job_id":"6423e7e3-9fd1-4c30-9c4b-ff7b70203762","html_url":"https://github.com/bedrocksystems/linux-bhv-patches","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bedrocksystems%2Flinux-bhv-patches","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bedrocksystems%2Flinux-bhv-patches/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bedrocksystems%2Flinux-bhv-patches/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bedrocksystems%2Flinux-bhv-patches/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bedrocksystems","download_url":"https://codeload.github.com/bedrocksystems/linux-bhv-patches/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244320325,"owners_count":20434088,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-25T03:15:39.562Z","updated_at":"2025-03-18T22:38:23.406Z","avatar_url":"https://github.com/bedrocksystems.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"Applying BHV Patches\n====================\n\nIn order to apply the BHV patches, they must be applied to the correct upstream Linux kernel\nversion.  Each patch is named based on the following naming schema:\n\n[KERNEL_PATCH_VERSION]-bhv.patch\n\nFor example, if the BHV patch is meant for the v5.10.79 kernel version, the patch name would\nbe `v5.10.79-bhv.patch`.\n\nThe Linux kernel source can be downloaded from:\n\n\u003chttps://www.kernel.org/\u003e\n\nor if you prefer to work with git, the upstream repository can be found here:\n\n\u003cgit://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\u003e\n\nIn order to apply the patch, simply copy the patch file into the Linux kernel source folder\n(of appropriate version), then apply the patch with:\n\n`patch -p0 \u003c v5.10.79-bhv.patch`\n\nIn the example above, we apply the patch for the 5.10.79 Linux kernel, you may have to\nsubsitute the kernel version number for your particular patch.\n\nConfiguring the Kernel\n======================\n\nIn order to configure the kernel, you will need to enable BHV VAS support, this is enabled\nby enabling the `BHV_VAS` configuration option in the patched Linux kernel.\n\nOptionally, you can choose how the Linux kernel should respond on a failed hypercall.  With\nthe `BHV_PANIC_ON_FAIL` configuation option, you can determine whether the kernel will panic\nor not.  For a production system it is generally recommnended that this option be set.\n\nHere is a full list of additional BRASS kernel config options:\n\n- `BHV_ALLOW_SELINUX_GUEST_ADMIN`: Allow the guest to perform SELinux administration if the host disabled guestpolicy support.  This should be set to `n` only if you intend to manage SELinux policy from the host.\n\n- `BHV_CONST_CALL_USERMODEHELPER_KERNEL`: Make all paths in the kernel that are passed to `call_usermodehelper` constant such that they cannot be updated. This should be set to `y` on production systems if you do not intend to update default paths.\n\n- `BHV_CONST_CALL_USERMODEHELPER_MODULES`: Make all paths in modules that are passed to `call_usermodehelper` constant such that they cannot be updated. This should be set to `y` on production systems if you do not intend to update default paths.\n\n- `BHV_VAS_DEBUG`: Build BHV guest support with DEBUG information. This should be set to `n` on production systems.\n\n- Ensure that the `bhv` LSM is enabled by adding it in `Security options -\u003e Ordered list of enabled LSMs`.\n\n- `MODULE_SIG`: Enable module signature verification. This should be set to `y` in production systems.\n\n- `MODULE_SIG_FORCE`: Require modules to be validly signed. This should be set to `y` in production systems.\n\n- `EXT4_FS` and `XFS_FS`: Support for Extended 4 (ext4) and XFS filesystems. These are set automatically to `y` by BHV_VAS.\n\n- `MEMCG` and `MEM_NS`: These should be set to `y` if you intend to use strong isolation.\n\n- `BHV_FREEZE_MEMORY_AFTER_BOOT`: Automatically issue memory freeze hypercalls after the system boots. Among other consequences, this prevents kernel modules from being loaded after the system is booted.\n\n- `BHV_LOCKDOWN`: Automatically turns on our most secure settings. As of this writing, this:\n    - enables `BHV_FREEZE_MEMORY_AFTER_BOOT`, `BHV_PANIC_ON_FAIL` and `BHV_CONST_MODPROBE_PATH`;\n    - disables various kernel tracing options (`FTRACE`, `KPROBES`), `BPF_JIT`, `DEBUG_KERNEL`\n\n- `BHV_FORCE_STRICT_FILEOPS`: Enable strict mode checking for supported file operations instances. This flags the usage of unsupported file operations instances violations. Note: This mode can be enabled as well by passing `bhv_strict_fileops` to the kernel command line as boot parameter.\n\n- `BHV_VAULT_SPACES`: Enable the spaces-based vault. The spaces-based vault intends to guard any code-patching related in-guest activities, including alternative instructions, jump labels, static calls, static call keys, and tracepoints.\n\nFinally, using `KPROBES` within the Linux kernel will cause BHV kernel integrity violations. To ensure this does not happen, these tracing features can be configured out of the kernel by disabling `KPROBES`.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbedrocksystems%2Flinux-bhv-patches","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbedrocksystems%2Flinux-bhv-patches","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbedrocksystems%2Flinux-bhv-patches/lists"}