immune kernel — immune to rootkits, backdoors, exploits · based on the Linux 6.6.129 LTS kernel免疫内核 — 抵御 rootkit、后门、漏洞利用 · 基于 Linux 6.6.129 LTS 内核
Tired of upgrading systems and running incident response behind every AI-found exploit. Counter AI with immunity, stay ahead of the bugs, stay ahead of the hackers.拒绝苦哈哈的跟在AI挖漏洞后面升级系统和应急响应。以免疫对抗 AI,走在漏洞前面,走在黑客前面。
For lazy sysadmins · change-resistant quant trading systems · sensitive servers that need immunity from 0-day exploits and rootkit backdoors · long-running servers适合:懒得折腾的运维 · 拒绝变更的量化交易系统 · 需要免疫 0day 漏洞和各种 rootkit 后门的敏感服务器 · 长期稳定运行的服务器
curl -fsSL https://immkernel.org/immkernel.sh | bashcurl -fsSL https://immkernel.org/immkernel_cn.sh | bashAs AI mass-discovers vulns, exploits ship faster.AI 爆发后漏洞数会激增,exploit 也会出得更快。
| CVE | description描述 |
|---|---|
| 2026-31431 | copy.fail · page-cache write LPE |
| 2026-43284 | dirtyfrag (xfrm-ESP) · page-cache primitive |
| 2026-43500 | dirtyfrag (RxRPC) · page-cache primitive |
immkernel vs stock Ubuntu, Debian, and Amazon Linux 2023 kernels — fio · sysbench · wrk · redis-benchmark · pgbench.immkernel vs Ubuntu、Debian、Amazon Linux 2023 默认内核 — fio · sysbench · wrk · redis-benchmark · pgbench。
Pick the tier that matches your security requirement and operational constraints.按你的安全需求和运维约束挑版本。
| immkernel-lite | immkernel-pro | immkernel-promax | |
|---|---|---|---|
| CVE immunity漏洞免疫 | partial部分 | most绝大部分 | near-perfect接近完美 |
| Rootkit / backdoor immunityrootkit 后门免疫 | — | most绝大部分 | near-perfect接近完美 |
| Maximum-security immunity极致安全免疫 | — | — | ✓ |
| Audience适用者 | low-touch ops, defending against AI-found CVEs懒得折腾的运维,对抗 AI 挖漏洞 | advanced security pros进阶的安全专家 | security pros chasing the limit追求极致的安全专家 |
| Workloads适用业务 | quant trading and most long-running stable services量化交易和长期稳定运行的绝大部分服务 | security-sensitive services安全敏感的服务 | highly security-sensitive services安全高度敏感的服务 |
| Release status发布状态 | released已发布 | unreleased未发布 | not on roadmap未在计划中 |
Q: Did you modify the kernel source code?问:你修改了内核代码吗?
A: No. Pure upstream Linux 6.6.129 — the immunity comes from configuration alone.答:没有。基于纯净的 6.6.129 内核,免疫能力完全来自配置。
Q: Are there known CVEs in this kernel version?问:这个内核版本有漏洞吗?
A: Yes — the code paths for copy.fail and dirtyfrag are still present, but the kernel is already immune. We deliberately stay on this version. Try to exploit it.答:有。copy.fail 和 dirtyfrag 漏洞相关代码都在,但已经免疫了。我们故意不用最新版本,大家可以打打看。
Q: Do apps need configuration changes after install?问:装完之后应用要改配置吗?
A: The default immkernel-lite needs no changes. immkernel-pro will require some tuning, but it isn't released yet — nothing to worry about, just run the one-click install.答:默认的 immkernel-lite 不需要改,pro 需要一些微调,但还没放出来,所以不必担心,一键安装就是了。
Q: How do I roll this out without causing trouble?问:怎么用这个内核不捅娄子?
A: Phased rollout, always. Test environments first, production second. Edge services before core ones. Move with intent, not in haste.答:务必记得灰度部署。先在测试环境部署,再到正式环境部署;先在边缘业务部署,再到核心业务部署。目标清晰但不着急不冒进。
Q: A service won't start. What do I do?问:我有服务跑不起来怎么办?
A: First, paste the error log into an AI assistant for triage. If you're still stuck, email me — but include the actual error message and a description of what you're trying to do, or I can't help either.答:先把错误信息给 AI 帮你分析一下。如果还搞不定,发邮件给我,我帮你看看,但务必带上完整错误信息和描述,否则我也爱莫能助。
Q: Does it immunize against every CVE and rootkit backdoor?问:能免疫所有漏洞和 rootkit 后门吗?
A: Definitely not all. But it covers the vast majority, orders of magnitude more than a stock kernel. Unless your bar is exceptionally high, this is enough to let you sit back and watch the AI-driven CVE storm without flinching.答:肯定不可能。但能免疫绝大多数,相对默认内核来说,免疫能力增强了很多很多。如果要求不是特别极致,基本够用了,足以让我们笑看 AI 挖洞云起云舒。
Q: Will you publish a list of the rootkits and backdoors it's immune to?问:免疫的 rootkit 和后门会给清单吗?
A: No.答:不会。
Q: How do I combine immkernel with other security tools?问:组合拳怎么打?
A: Pair immkernel with an EDR/HIDS for genuine 1+1>2 synergy. Because the kernel has shut down most of the routes attackers use to take over a system, your security tooling sees a cleaner picture — fewer rootkit-induced blind spots, more authentic signal.答:在 immkernel 安全免疫内核的保护下结合 EDR/HIDS,让我们占据更有利的位置,1+1>2。因为内核堵住了黑客成为系统主宰的好些路子,安全工具的结果更可靠、更真实。
Q: Will you publish the kernel config?问:会公开内核配置文件吗?
A: No. If you're worried about security, the kernel source is already public — have an AI download and analyze it for you. Whether what's in here counts as novel is for you to judge. But this thing was built on my late nights, distilling 20+ years of hands-on Linux offensive and defensive security work. In the AI era CVEs land faster and exploits land faster still, so I'm releasing this as my contribution back to the open-source community, with no plans to monetize. If you have the skills and the time, you can absolutely build your own. I'm just not making it easy for the rebrand-and-claim crowd.答:不会。如果你担心安全问题,内核代码本来就是公开的,你可以让 AI 下载研究。有没技术含量见仁见智——但这玩意是我熬夜搞出来的,也承载了我在 Linux 安全攻防 20 多年的实战经验。AI 时代漏洞只会越出越多,exploit 越出越快,作为对开源社区的反哺发出来,也不打算盈利。你有能力和时间的话,我相信你也可以;但我不惯着谣谣领先和自主可控们。
Q: Will you keep maintaining and iterating?问:会继续维护和迭代吗?
A: Yes, but mostly on compatibility and stability. The kernel version stays locked at 6.6.129 unless an LPE breaks immunity or a stability / compatibility issue forces a bump. The whole point is no upgrades, no churn — never go looking for trouble.答:会,但更多是在兼容性和稳定性上迭代。如果这个内核被 LPE 漏洞打掉了,或者出现稳定性/兼容性问题,会升级;否则版本就锁定在 6.6.129。因为我们的核心目标就是不升级不折腾,没事绝对不自己找事。
Q: Is the install process safe? What about supply-chain risk?问:安装过程安全吗?有供应链风险吗?
A: GPG signatures and SHA256 checksums are verified end-to-end. I keep the install chain as simple as I can. Because no kernel source has been modified, there is no contributor pipeline to compromise — poisoning the supply chain is materially harder than for projects shipping custom code.答:装的时候有 GPG 签名和 SHA256 校验,我会尽量让整个过程简单又安全。因为没有改任何内核代码,所以也没有代码贡献者通道,投毒不那么容易。
Q: My boss is worried immkernel might have a backdoor. What now?问:老板担心 immkernel 有后门怎么办?
A: Up to you. If you're a tier-one player, just have an AI study the source — I've revealed most of the thinking, kept a bit hidden, but nothing stops you from rolling your own. If you're not tier-one, AND you worry about immkernel's security, AND you think CVE exposure would hurt you, AND you don't want to patch CVEs yourself, AND you want it all for free — mate, that takes money. But I don't take money and I don't accept donations either. So figure it out yourself.答:看你自己选。如果你是头部玩家,让 AI 研究就好——思想我已经透露了一部分,虽然还藏了一点,这也不妨碍你自己搞一套。如果你不是头部玩家,又担心 immkernel 的安全问题,又觉得漏洞对你影响大,又不想自己修漏洞,这既要又要还要更要的逻辑——老铁,得掏钱。但我不要钱也不接受任何形式的捐赠,所以自己想办法吧。