- UEFI + Secure Boot without a second-stage boot loader
- Plymouth for a graphical boot screen
- LUKS2 encrypted disk (256-bit AES-XTS, SHA3-512, Argon2id)
- Btrfs with subvolumes, snapshotting and zstd compression
- AppArmor for Mandatory Access Control
- Nftables for firewalling
- Wi-Fi and Bluetooth support
- KDE Plasma desktop environment
-
-fPIE/-fPIC: Generate position-independent executable (PIE) or position-independent code (PIC), for executables and shared libraries, respective. All constant addresses are accessed through a global offset table (GOT). This is also known as Address Space Layout Randomization (ASLR). -
-fstack-clash-protection: Generate code to prevent stack clash style attacks: the compiler will only allocate one page of stack space at a time and each page is accessed immediately after allocation. This prevents allocations from jumping over any stack guard page provided by the OS. -
fstack-protector-all: Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to all functions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| scan-build \ | |
| -enable-checker security.insecureAPI.bcmp \ | |
| -enable-checker security.insecureAPI.bcopy \ | |
| -enable-checker security.insecureAPI.bzero \ | |
| -enable-checker security.insecureAPI.decodeValueOfObjCType \ | |
| -enable-checker security.insecureAPI.rand \ | |
| -enable-checker security.insecureAPI.strcpy \ | |
| --use-cc=$(which clang) \ | |
| make -B -j$(nproc) |
gresskar
/ Windows 11 VM
Created
September 26, 2024 14:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Required dependencies: wget qemu-system-x86 edk2-ovmf qemu-audio-pipewire qemu-ui-spice-app qemu-hw-display-virtio swtpm virt-viewer | |
| if [ ! -f "Win11.qcow2" ]; then | |
| # Emit `-o nocow=on` if you're on a journaled filesystem | |
| qemu-img create -f qcow2 Win11.qcow2 -o nocow=on 64G || exit | |
| fi | |
| if [ ! -f "Win11_23H2_English_x64v2.iso" ]; then |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ## This is a script for installing Hardened Gentoo on the Raspberry Pi 5: | |
| ### Init: OpenRC | |
| ### Libc: Musl | |
| ### Network: Ethernet w/ static addressing only - no Wi-Fi, Bluetooth or DHCP bloat | |
| ### Audio: ALSA - no OSS, JACK, PulseAudio or PipeWire bloat | |
| ### Video: Mesa w/ Gallium3D, VAAPI hardware acceleration, Vulkan | |
| ## This script assumes you're already booted into a live installation CD of some sort |