KDE Linux Hardens System by Removing Kernel Modules and Unused Packages
KDE Linux has undergone a security audit, leading to the removal of several kernel modules and unused packages to reduce its attack surface and improve security.
The KDE Linux project has undertaken a significant security enhancement initiative, removing a number of kernel modules and unused software packages following a recent security audit. This proactive measure was prompted by the discovery of multiple vulnerabilities within the upstream Linux kernel in the preceding month, driving the project to re-evaluate its component set.
The audit, conducted by three key contributors, focused on identifying and eliminating insecure and redundant software. A primary outcome was the decision to revert to the vanilla Linux kernel. The project had previously been using the Zen kernel, but the audit concluded that its offered benefits were minimal, as the team had already implemented comparable configuration adjustments in their custom build.
Specifically, the alf_alg kernel modules were removed due to being identified as both insecure and unused. Furthermore, the out-of-tree OpenRazer and APFS kernel modules were also deprecated. The inclusion of these modules posed a future obstacle to passing secure boot reviews, a critical requirement for the operating system. While the project aims to find upstream solutions for the functionality these modules provided, APFS support may transition to a userspace FUSE driver, though its long-term viability is uncertain.
Beyond kernel modules, a substantial list of software packages deemed unused was also purged. This included acpi_call, busybox, cryfs, encfs, hplip, v4l2loopback-utils, and vpl-gpu-rt. The removal of fuse2, an unmaintained and known insecure library, is also noteworthy. This change is expected to affect older AppImage applications, which will need to migrate to fuse3. Users encountering issues with such applications are advised to contact the respective application authors or packagers.
Another package removed was fenrir, identified as unused, which also allowed KDE Linux to discontinue its reliance on the Arch User Repository (AUR). Historically, the AUR has been a source of instability for the project, and this move contributes to a more robust and controlled build environment.
In terms of credential management, KDE Linux has replaced KWalletManager and its associated System Settings page with KeepSecret, a Flatpak-packaged application. A new service has also been introduced to streamline the installation of pre-installed Flatpak applications on existing systems, intelligently skipping any that a user has previously removed.
Build testing has also seen improvements. A new test was added to verify that builds do not ship with broken file capabilities, preventing regressions that have occurred previously. Additionally, a new OpenQA-based testing system is under development, building on existing prototypes, to catch faulty builds before they are released.
Collectively, these changes represent a significant hardening of the KDE Linux operating system. By reducing the attack surface through the removal of unnecessary and potentially vulnerable components, and by moving towards upstream solutions and improved testing, the project is making strides toward a more secure and stable platform, particularly in its efforts to pass secure boot reviews.