Error with hardened-kernel script in Kicksecure Debian

Support
1

Hello!

I’ve installed Debian Buster at its bare minimum and disabling root. After I’ve installed Kicksecure to run Whonix in KVM. I came across hardened-kernal and downloaded the package.

I ran sudo bash /usr/share/hardened-kernel/build --host within Kicksecure and it seems to compile up till this part:

AR arch/x86/kernel/built-in.a
AR arch/x86/built-in.a
make[2]: *** [debian/rules:4: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
make[1]: *** [scripts/package/Makefile:75: deb-pkg] Error 2
make: *** [Makefile:1368: deb-pkg] Error 2
make: Leaving directory ‘/var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122’

I ran this in my Whonix workstation and it was successful without errors. The goal is top security using Kicksecure as host and Whonix in KVM with all kernals hardened for the utmost of security.

Thanks,
sudobash

2

Hard to diagnose without the relevant code snippets from the files mentioned. Can you paste the relevant code lines from the makefile and debian/rules ?

4

I’m running “sudo bash /usr/share/hardened-kernel/build --host” right now on a fresh install of Kicksecure running just base apps and KVM.

Here is the log:

sudo bash /usr/share/hardened-kernel/build --host
[sudo] password for user:

set -e
:
case $1 in
kernel_config=hardened-host-kernel
shift
:
case $1 in
break
‘[’ hardened-host-kernel = ‘’ ‘]’
+++ dirname /usr/share/hardened-kernel/build
++ cd /usr/share/hardened-kernel
++ pwd
MYDIR=/usr/share/hardened-kernel
whoami
root
env
SHELL=/bin/bash
COLORTERM=truecolor
SUDO_GID=1000
SUDO_COMMAND=/usr/bin/bash /usr/share/hardened-kernel/build --host
SUDO_USER=user
PWD=/home/user
LOGNAME=root
XAUTHORITY=/home/user/.Xauthority
HOME=/root
LANG=en_US.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:.tar=01;31:.tgz=01;31:.arc=01;31:.arj=01;31:.taz=01;31:.lha=01;31:.lz4=01;31:.lzh=01;31:.lzma=01;31:.tlz=01;31:.txz=01;31:.tzo=01;31:.t7z=01;31:.zip=01;31:.z=01;31:.dz=01;31:.gz=01;31:.lrz=01;31:.lz=01;31:.lzo=01;31:.xz=01;31:.zst=01;31:.tzst=01;31:.bz2=01;31:.bz=01;31:.tbz=01;31:.tbz2=01;31:.tz=01;31:.deb=01;31:.rpm=01;31:.jar=01;31:.war=01;31:.ear=01;31:.sar=01;31:.rar=01;31:.alz=01;31:.ace=01;31:.zoo=01;31:.cpio=01;31:.7z=01;31:.rz=01;31:.cab=01;31:.wim=01;31:.swm=01;31:.dwm=01;31:.esd=01;31:.jpg=01;35:.jpeg=01;35:.mjpg=01;35:.mjpeg=01;35:.gif=01;35:.bmp=01;35:.pbm=01;35:.pgm=01;35:.ppm=01;35:.tga=01;35:.xbm=01;35:.xpm=01;35:.tif=01;35:.tiff=01;35:.png=01;35:.svg=01;35:.svgz=01;35:.mng=01;35:.pcx=01;35:.mov=01;35:.mpg=01;35:.mpeg=01;35:.m2v=01;35:.mkv=01;35:.webm=01;35:.ogm=01;35:.mp4=01;35:.m4v=01;35:.mp4v=01;35:.vob=01;35:.qt=01;35:.nuv=01;35:.wmv=01;35:.asf=01;35:.rm=01;35:.rmvb=01;35:.flc=01;35:.avi=01;35:.fli=01;35:.flv=01;35:.gl=01;35:.dl=01;35:.xcf=01;35:.xwd=01;35:.yuv=01;35:.cgm=01;35:.emf=01;35:.ogv=01;35:.ogx=01;35:.aac=00;36:.au=00;36:.flac=00;36:.m4a=00;36:.mid=00;36:.midi=00;36:.mka=00;36:.mp3=00;36:.mpc=00;36:.ogg=00;36:.ra=00;36:.wav=00;36:.oga=00;36:.opus=00;36:.spx=00;36:*.xspf=00;36:
TERM=xterm-256color
USER=root
DISPLAY=:0.0
SHLVL=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SUDO_UID=1000
MAIL=/var/mail/root
_=/usr/bin/env
true 'CI: ’
/usr/share/hardened-kernel/download
set -e
+++ dirname /usr/share/hardened-kernel/download
++ cd /usr/share/hardened-kernel
++ pwd
MYDIR=/usr/share/hardened-kernel
mkdir -p /usr/src/hardened-kernel/files
cd /usr/src/hardened-kernel/files
version=4.19.122

(Removed LINKS here to allow post due to character limit)

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 657 100 657 0 0 323 0 0:00:02 0:00:02 --:–:-- 323
100 97705 100 97705 0 0 20814 0 0:00:04 0:00:04 --:–:-- 57779

true OK
version=4.19.122
working_folder=/var/lib/hardened-kernel/hardened-host-kernel
rm -r -f /var/lib/hardened-kernel/hardened-host-kernel
mkdir -p /var/lib/hardened-kernel/hardened-host-kernel
chmod o-rwx /var/lib/hardened-kernel/hardened-host-kernel
source_folder=/usr/src/hardened-kernel/files
mkdir -p /usr/src/hardened-kernel/files
extracted_linux_kernel_sources_folder=/var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/
ls /usr/src/hardened-kernel/files
linux-4.19.122.tar.sign linux-hardened-4.19.122.a.patch sha256sums.asc
linux-4.19.122.tar.xz linux-hardened-4.19.122.a.patch.sig
ls /var/lib/hardened-kernel/hardened-host-kernel
test -r /usr/src/hardened-kernel/files/linux-4.19.122.tar.xz
test -r /usr/src/hardened-kernel/files/linux-hardened-4.19.122.a.patch
tar -xf /usr/src/hardened-kernel/files/linux-4.19.122.tar.xz -C /var/lib/hardened-kernel/hardened-host-kernel
ls /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/
arch CREDITS firmware ipc lib mm scripts usr
block crypto fs Kbuild LICENSES net security virt
certs Documentation include Kconfig MAINTAINERS README sound
COPYING drivers init kernel Makefile samples tools
cat /usr/src/hardened-kernel/files/linux-hardened-4.19.122.a.patch
patch --silent -p1 -d /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/
cp /usr/share/hardened-kernel/hardened-host-kernel /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122//.config
diff /usr/share/hardened-kernel/hardened-host-kernel /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122//.config
‘[’ ‘’ = true ‘]’
++ nproc
make deb-pkg -j 9 -C /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/
make: Entering directory ‘/var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122’
HOSTCC scripts/basic/fixdep
HOSTCC scripts/kconfig/conf.o
YACC scripts/kconfig/zconf.tab.c
LEX scripts/kconfig/zconf.lex.c
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf --syncconfig Kconfig
UPD include/config/kernel.release
make clean
/bin/bash ./scripts/package/mkdebian
TAR linux-4.19.122.tar.gz
origversion=$(dpkg-parsechangelog -SVersion |sed ‘s/-[^-]*$//’);
mv linux-4.19.122.tar.gz …/linux-4.19.122_${origversion}.orig.tar.gz
dpkg-buildpackage -r"fakeroot -u" -a$(cat debian/arch) -i.git -us -uc
dpkg-buildpackage: warning: using a gain-root-command while being root
dpkg-buildpackage: info: source package linux-4.19.122
dpkg-buildpackage: info: source version 4.19.122-1
dpkg-buildpackage: info: source distribution buster
dpkg-buildpackage: info: source changed by root root@user
dpkg-buildpackage: info: host architecture amd64
dpkg-buildpackage: warning: debian/rules is not executable; fixing that
dpkg-source -i.git --before-build .
fakeroot -u debian/rules clean
rm -rf debian/*tmp debian/files
make clean
dpkg-source -i.git -b .
dpkg-source: warning: no source format specified in debian/source/format, see dpkg-source(1)
dpkg-source: info: using source format ‘1.0’
dpkg-source: warning: source directory ‘linux-4.19.122’ is not - ‘linux-4.19.122-4.19.122’
dpkg-source: warning: .orig directory name linux-4.19.122.orig is not - (wanted linux-4.19.122-4.19.122.orig)
dpkg-source: info: building linux-4.19.122 using existing linux-4.19.122_4.19.122.orig.tar.gz
dpkg-source: info: building linux-4.19.122 in linux-4.19.122_4.19.122-1.diff.gz
dpkg-source: warning: ignoring deletion of file .scmversion
dpkg-source: warning: the diff modifies the following upstream files:
.clang-format
.cocciconfig
.config.old
.get_maintainer.ignore
.mailmap
CREDITS
LICENSES/exceptions/Linux-syscall-note
LICENSES/other/Apache-2.0
LICENSES/other/CDDL-1.0
LICENSES/other/GPL-1.0
LICENSES/other/Linux-OpenIB
LICENSES/other/MPL-1.1
LICENSES/other/X11
LICENSES/preferred/BSD-2-Clause
LICENSES/preferred/BSD-3-Clause
LICENSES/preferred/BSD-3-Clause-Clear
LICENSES/preferred/GPL-2.0
LICENSES/preferred/LGPL-2.0
LICENSES/preferred/LGPL-2.1
LICENSES/preferred/MIT
MAINTAINERS
README
dpkg-source: info: use the ‘3.0 (quilt)’ format to have separate and documented changes to upstream files, see dpkg-source(1)
dpkg-source: info: building linux-4.19.122 in linux-4.19.122_4.19.122-1.dsc
dpkg-source: warning: missing information for output field Standards-Version
debian/rules build
make KERNELRELEASE=4.19.122 ARCH=x86 KBUILD_BUILD_VERSION=1 KBUILD_SRC=
WRAP arch/x86/include/generated/uapi/asm/bpf_perf_event.h
HOSTCC scripts/basic/fixdep
WRAP arch/x86/include/generated/uapi/asm/poll.h
UPD include/generated/uapi/linux/version.h
SYSTBL arch/x86/include/generated/asm/syscalls_32.h
SYSHDR arch/x86/include/generated/asm/unistd_32_ia32.h
SYSHDR arch/x86/include/generated/asm/unistd_64_x32.h
SYSTBL arch/x86/include/generated/asm/syscalls_64.h
HYPERCALLS arch/x86/include/generated/asm/xen-hypercalls.h
DESCEND objtool
SYSHDR arch/x86/include/generated/uapi/asm/unistd_32.h
SYSHDR arch/x86/include/generated/uapi/asm/unistd_64.h
SYSHDR arch/x86/include/generated/uapi/asm/unistd_x32.h
HOSTCC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/fixdep.o
HOSTLD /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/fixdep-in.o
LINK /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/fixdep
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/exec-cmd.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/help.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/pager.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/parse-options.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/run-command.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/sigchain.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/subcmd-config.o
GEN /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/arch/x86/lib/inat-tables.c
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/arch/x86/decode.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/builtin-check.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/builtin-orc.o
HOSTCC arch/x86/tools/relocs_32.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/check.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/orc_gen.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/orc_dump.o
LD /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/libsubcmd-in.o
AR /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/libsubcmd.a
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/elf.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/special.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/objtool.o
HOSTCC arch/x86/tools/relocs_64.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/libstring.o
LD /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/arch/x86/objtool-in.o
CC /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/str_error_r.o
HOSTCC arch/x86/tools/relocs_common.o
WRAP arch/x86/include/generated/asm/dma-contiguous.h
WRAP arch/x86/include/generated/asm/early_ioremap.h
WRAP arch/x86/include/generated/asm/export.h
WRAP arch/x86/include/generated/asm/mcs_spinlock.h
WRAP arch/x86/include/generated/asm/mm-arch-hooks.h
UPD include/generated/utsrelease.h
HOSTCXX -fPIC scripts/gcc-plugins/latent_entropy_plugin.o
HOSTCXX -fPIC scripts/gcc-plugins/structleak_plugin.o
HOSTLD arch/x86/tools/relocs
GENSEED scripts/gcc-plugins/randomize_layout_seed.h
HOSTCXX -fPIC scripts/gcc-plugins/randomize_layout_plugin.o
LD /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/objtool-in.o
LINK /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/tools/objtool/objtool
HOSTLLD -shared scripts/gcc-plugins/structleak_plugin.so
HOSTLLD -shared scripts/gcc-plugins/latent_entropy_plugin.so
HOSTLLD -shared scripts/gcc-plugins/randomize_layout_plugin.so
HOSTCC scripts/kallsyms
CC kernel/bounds.s
HOSTCC scripts/conmakehash
HOSTCC scripts/sortextable
HOSTCC scripts/asn1_compiler
HOSTCC scripts/sign-file
HOSTCC scripts/genksyms/genksyms.o
CC scripts/mod/empty.o
UPD include/generated/timeconst.h
YACC scripts/genksyms/parse.tab.c
HOSTCC scripts/mod/mk_elfconfig
UPD include/generated/bounds.h
CC arch/x86/kernel/asm-offsets.s
LEX scripts/genksyms/lex.lex.c
CC scripts/mod/devicetable-offsets.s
HOSTCC scripts/extract-cert
YACC scripts/genksyms/parse.tab.h
MKELF scripts/mod/elfconfig.h
UPD scripts/mod/devicetable-offsets.h
HOSTCC scripts/mod/sumversion.o
HOSTCC scripts/genksyms/parse.tab.o
HOSTCC scripts/genksyms/lex.lex.o
HOSTCC scripts/mod/modpost.o
HOSTCC scripts/mod/file2alias.o
UPD include/generated/asm-offsets.h
CALL scripts/checksyscalls.sh
HOSTLD scripts/genksyms/genksyms
HOSTLD scripts/mod/modpost
HOSTCC usr/gen_init_cpio
CHK include/generated/compile.h
make[4]: *** No rule to make target ‘debian/certs/debian-uefi-certs.pem’, needed by ‘certs/x509_certificate_list’. Stop.
make[3]: *** [Makefile:1056: certs] Error 2
make[3]: *** Waiting for unfinished jobs…
CC init/main.o
CC mm/filemap.o
CC [M] fs/autofs/init.o
CC arch/x86/events/amd/core.o
UPD include/generated/compile.h
CC kernel/cgroup/cgroup.o
CC arch/x86/entry/vdso/vma.o
AR arch/x86/crypto/built-in.a
CC [M] arch/x86/crypto/glue_helper.o
CC kernel/bpf/core.o
GEN usr/initramfs_data.cpio
AS usr/initramfs_data.o
CC [M] fs/autofs/inode.o
AR usr/built-in.a
AS [M] arch/x86/crypto/aes-x86_64-asm_64.o
LDS arch/x86/entry/vdso/vdso.lds
AS arch/x86/entry/vdso/vdso-note.o
CC [M] arch/x86/crypto/aes_glue.o
CC arch/x86/entry/vdso/vclock_gettime.o
CC arch/x86/events/amd/uncore.o
CC [M] fs/autofs/root.o
AS [M] arch/x86/crypto/des3_ede-asm_64.o
CC [M] arch/x86/crypto/des3_ede_glue.o
AS [M] arch/x86/crypto/camellia-x86_64-asm_64.o
CC arch/x86/entry/vdso/vgetcpu.o
CC [M] arch/x86/crypto/camellia_glue.o
CC init/do_mounts.o
HOSTCC arch/x86/entry/vdso/vdso2c
CC [M] fs/autofs/symlink.o
CC arch/x86/events/amd/ibs.o
AS [M] arch/x86/crypto/blowfish-x86_64-asm_64.o
CC [M] arch/x86/crypto/blowfish_glue.o
VDSO arch/x86/entry/vdso/vdso64.so.dbg
CC [M] fs/autofs/waitq.o
OBJCOPY arch/x86/entry/vdso/vdso64.so
AR kernel/bpf/built-in.a
VDSO2C arch/x86/entry/vdso/vdso-image-64.c
CC arch/x86/entry/vdso/vdso-image-64.o
CC kernel/dma/mapping.o
AS [M] arch/x86/crypto/twofish-x86_64-asm_64.o
AR arch/x86/entry/vdso/built-in.a
CC arch/x86/entry/vsyscall/vsyscall_gtod.o
CC [M] arch/x86/crypto/twofish_glue.o
AS [M] arch/x86/crypto/twofish-x86_64-asm_64-3way.o
CC mm/mempool.o
CC [M] fs/autofs/expire.o
CC [M] fs/autofs/dev-ioctl.o
AR arch/x86/entry/vsyscall/built-in.a
AS arch/x86/entry/entry_64.o
CC arch/x86/events/amd/iommu.o
CC [M] arch/x86/crypto/twofish_glue_3way.o
CC init/do_mounts_initrd.o
CC init/initramfs.o
AS arch/x86/entry/thunk_64.o
CC kernel/dma/direct.o
LD [M] fs/autofs/autofs4.o
CC arch/x86/entry/syscall_64.o
CC kernel/cgroup/rstat.o
CC [M] fs/cachefiles/bind.o
CC [M] arch/x86/events/amd/power.o
CC mm/oom_kill.o
CC init/calibrate.o
CC arch/x86/entry/common.o
CC [M] fs/cachefiles/daemon.o
AS [M] arch/x86/crypto/chacha20-ssse3-x86_64.o
CC init/init_task.o
CC [M] arch/x86/crypto/chacha20_glue.o
AR arch/x86/events/amd/built-in.a
CC init/version.o
CC kernel/dma/swiotlb.o
CC arch/x86/events/intel/core.o
CC kernel/cgroup/namespace.o
AR arch/x86/entry/built-in.a
CC arch/x86/hyperv/hv_init.o
CC [M] fs/cachefiles/interface.o
AS [M] arch/x86/crypto/chacha20-avx2-x86_64.o
CC arch/x86/hyperv/mmu.o
AS [M] arch/x86/crypto/serpent-sse2-x86_64-asm_64.o
AR init/built-in.a
CC [M] arch/x86/crypto/serpent_sse2_glue.o
CC kernel/cgroup/cgroup-v1.o
AS [M] arch/x86/crypto/aesni-intel_asm.o
CC mm/fadvise.o
CC [M] arch/x86/crypto/aesni-intel_glue.o
CC [M] fs/cachefiles/key.o
AR kernel/dma/built-in.a
CC arch/x86/hyperv/nested.o
CC kernel/events/core.o
CC [M] arch/x86/crypto/fpu.o
CC [M] fs/cachefiles/main.o
CC arch/x86/hyperv/hv_apic.o
CC mm/maccess.o
CC [M] fs/cachefiles/namei.o
CC arch/x86/events/intel/bts.o
CC kernel/cgroup/freezer.o
CC [M] fs/cachefiles/rdwr.o
AS [M] arch/x86/crypto/aesni-intel_avx-x86_64.o
AS [M] arch/x86/crypto/aes_ctrby8_avx-x86_64.o
AS [M] arch/x86/crypto/ghash-clmulni-intel_asm.o
AR arch/x86/hyperv/built-in.a
CC [M] arch/x86/crypto/ghash-clmulni-intel_glue.o
CC arch/x86/kernel/acpi/boot.o
CC arch/x86/kernel/acpi/sleep.o
CC kernel/cgroup/pids.o
CC mm/page_alloc.o
CC arch/x86/events/intel/ds.o
CC arch/x86/kernel/apic/apic.o
AS arch/x86/kernel/acpi/wakeup_64.o
CC [M] arch/x86/crypto/crc32c-intel_glue.o
CC [M] fs/cachefiles/security.o
CC kernel/cgroup/rdma.o
CC arch/x86/kernel/acpi/apei.o
CC [M] fs/cachefiles/xattr.o
AS [M] arch/x86/crypto/crc32c-pcl-intel-asm_64.o
AS [M] arch/x86/crypto/sha1_ssse3_asm.o
CC [M] arch/x86/crypto/sha1_ssse3_glue.o
CC arch/x86/kernel/acpi/cppc_msr.o
CC [M] arch/x86/kvm/…/…/…/virt/kvm/kvm_main.o
CC arch/x86/events/intel/knc.o
LD [M] fs/cachefiles/cachefiles.o
CC kernel/cgroup/cpuset.o
CC arch/x86/kernel/acpi/cstate.o
CC [M] fs/configfs/inode.o
AS [M] arch/x86/crypto/sha1_avx2_x86_64_asm.o
AS [M] arch/x86/crypto/sha1_ni_asm.o
CC arch/x86/events/intel/lbr.o
CC arch/x86/kernel/apic/apic_common.o
CC [M] fs/configfs/file.o
AR arch/x86/kernel/acpi/built-in.a
CC [M] arch/x86/kvm/…/…/…/virt/kvm/coalesced_mmio.o
CC arch/x86/kernel/apic/apic_noop.o
CC arch/x86/events/intel/p4.o
CC [M] fs/configfs/dir.o
CC arch/x86/kernel/apic/ipi.o
AS [M] arch/x86/crypto/crc32-pclmul_asm.o
CC arch/x86/kernel/apic/vector.o
CC arch/x86/events/intel/p6.o
CC mm/page-writeback.o
CC arch/x86/events/intel/pt.o
CC [M] arch/x86/kvm/…/…/…/virt/kvm/eventfd.o
AR kernel/cgroup/built-in.a
CC [M] arch/x86/crypto/crc32-pclmul_glue.o
AS [M] arch/x86/crypto/sha256-ssse3-asm.o
CC kernel/irq/irqdesc.o
CC [M] fs/configfs/symlink.o
CC arch/x86/kernel/apic/hw_nmi.o
CC [M] arch/x86/events/intel/rapl.o
CC mm/readahead.o
CC kernel/irq/handle.o
CC kernel/events/ring_buffer.o
CC arch/x86/kernel/apic/io_apic.o
CC [M] fs/configfs/mount.o
CC kernel/irq/manage.o
CC [M] arch/x86/events/intel/uncore.o
CC [M] arch/x86/kvm/…/…/…/virt/kvm/irqchip.o
CC [M] fs/configfs/item.o
CC kernel/irq/spurious.o
CC mm/swap.o
LD [M] fs/configfs/configfs.o
CC [M] fs/crypto/crypto.o
CC kernel/events/callchain.o
CC [M] fs/crypto/fname.o
CC [M] arch/x86/kvm/…/…/…/virt/kvm/vfio.o
CC kernel/irq/resend.o
CC [M] arch/x86/events/intel/uncore_nhmex.o
CC kernel/events/hw_breakpoint.o
CC kernel/irq/chip.o
CC arch/x86/kernel/apic/msi.o
CC [M] arch/x86/kvm/…/…/…/virt/kvm/async_pf.o
CC [M] fs/crypto/hooks.o
CC [M] fs/crypto/keyinfo.o
CC [M] arch/x86/events/intel/uncore_snb.o
CC [M] arch/x86/kvm/x86.o
CC mm/truncate.o
CC [M] fs/crypto/policy.o
CC arch/x86/kernel/apic/x2apic_phys.o
AR kernel/events/built-in.a
AR kernel/livepatch/built-in.a
CC kernel/locking/mutex.o
CC kernel/irq/dummychip.o
AS [M] arch/x86/crypto/sha256-avx-asm.o
CC kernel/locking/semaphore.o
CC [M] arch/x86/events/intel/uncore_snbep.o
AS [M] arch/x86/crypto/sha256-avx2-asm.o
CC [M] arch/x86/crypto/sha256_ssse3_glue.o
CC arch/x86/kernel/apic/x2apic_cluster.o
CC kernel/irq/devres.o
CC [M] fs/crypto/bio.o
CC kernel/locking/rwsem.o
CC arch/x86/kernel/apic/apic_flat_64.o
AS [M] arch/x86/crypto/sha256_ni_asm.o
CC kernel/locking/percpu-rwsem.o
CC mm/vmscan.o
AS [M] arch/x86/crypto/sha512-ssse3-asm.o
AS [M] arch/x86/crypto/sha512-avx-asm.o
CC kernel/irq/generic-chip.o
AS [M] arch/x86/crypto/sha512-avx2-asm.o
CC kernel/locking/spinlock.o
CC [M] arch/x86/crypto/sha512_ssse3_glue.o
LD [M] fs/crypto/fscrypto.o
CC kernel/locking/osq_lock.o
CC fs/devpts/inode.o
CC [M] arch/x86/events/intel/cstate.o
CC arch/x86/kernel/apic/probe_64.o
CC kernel/locking/qspinlock.o
CC kernel/locking/rtmutex.o
AS [M] arch/x86/crypto/crct10dif-pcl-asm_64.o
CC kernel/irq/autoprobe.o
AR fs/devpts/built-in.a
CC [M] arch/x86/crypto/crct10dif-pclmul_glue.o
AR arch/x86/kernel/apic/built-in.a
CC [M] fs/ecryptfs/dentry.o
AR arch/x86/events/intel/built-in.a
LD [M] arch/x86/events/intel/intel-rapl-perf.o
LD [M] arch/x86/events/intel/intel-uncore.o
LD [M] arch/x86/events/intel/intel-cstate.o
CC arch/x86/events/core.o
CC arch/x86/kernel/cpu/mcheck/mce.o
CC arch/x86/kernel/cpu/microcode/core.o
CC kernel/irq/irqdomain.o
AS [M] arch/x86/crypto/poly1305-sse2-x86_64.o
CC kernel/locking/rwsem-xadd.o
CC [M] fs/ecryptfs/file.o
CC [M] arch/x86/crypto/poly1305_glue.o
CC arch/x86/kernel/cpu/microcode/intel.o
CC [M] fs/ecryptfs/inode.o
AS [M] arch/x86/crypto/poly1305-avx2-x86_64.o
CC mm/shmem.o
CC kernel/locking/qrwlock.o
AS [M] arch/x86/crypto/aegis128-aesni-asm.o
CC [M] arch/x86/crypto/aegis128-aesni-glue.o
CC kernel/irq/proc.o
CC arch/x86/kernel/cpu/mcheck/mce-severity.o
CC arch/x86/kernel/cpu/microcode/amd.o
AR kernel/locking/built-in.a
CC arch/x86/kernel/cpu/mtrr/mtrr.o
CC arch/x86/events/msr.o
AS [M] arch/x86/crypto/aegis128l-aesni-asm.o
CC [M] fs/ecryptfs/main.o
CC kernel/irq/migration.o
CC arch/x86/kernel/cpu/mcheck/mce-genpool.o
CC [M] arch/x86/crypto/aegis128l-aesni-glue.o
CC [M] arch/x86/kvm/mmu.o
AR arch/x86/kernel/cpu/microcode/built-in.a
CC arch/x86/kernel/cpu/cacheinfo.o
CC kernel/irq/cpuhotplug.o
CC arch/x86/kernel/cpu/mcheck/mce_intel.o
AR arch/x86/events/built-in.a
CC [M] fs/ecryptfs/super.o
CC arch/x86/mm/init.o
CC kernel/irq/pm.o
CC arch/x86/kernel/cpu/mtrr/if.o
AS [M] arch/x86/crypto/aegis256-aesni-asm.o
CC arch/x86/kernel/cpu/mcheck/mce_amd.o
CC [M] arch/x86/crypto/aegis256-aesni-glue.o
CC arch/x86/kernel/cpu/scattered.o
CC [M] fs/ecryptfs/mmap.o
CC arch/x86/kernel/cpu/mtrr/generic.o
CC arch/x86/kernel/cpu/topology.o
CC [M] arch/x86/crypto/morus640_glue.o
CC kernel/irq/msi.o
CC mm/util.o
CC arch/x86/kernel/cpu/common.o
CC arch/x86/mm/init_64.o
CC [M] fs/ecryptfs/read_write.o
CC arch/x86/kernel/cpu/mcheck/threshold.o
CC arch/x86/kernel/cpu/mtrr/cleanup.o
CC kernel/irq/affinity.o
CC [M] fs/ecryptfs/crypto.o
CC arch/x86/kernel/cpu/mcheck/therm_throt.o
CC [M] arch/x86/crypto/morus1280_glue.o
CC kernel/irq/matrix.o
AR arch/x86/kernel/cpu/mtrr/built-in.a
CC arch/x86/kernel/cpu/rdrand.o
CC mm/mmzone.o
CC arch/x86/kernel/cpu/match.o
CC mm/vmstat.o
CC arch/x86/kernel/cpu/bugs.o
AR kernel/irq/built-in.a
CC kernel/power/qos.o
CC arch/x86/mm/fault.o
CC arch/x86/kernel/cpu/mcheck/mce-apei.o
AS [M] arch/x86/crypto/morus640-sse2-asm.o
CC [M] arch/x86/crypto/morus640-sse2-glue.o
CC kernel/power/main.o
CC [M] fs/ecryptfs/keystore.o
AS [M] arch/x86/crypto/morus1280-sse2-asm.o
CC [M] arch/x86/crypto/morus1280-sse2-glue.o
CC [M] arch/x86/kvm/emulate.o
AR arch/x86/kernel/cpu/mcheck/built-in.a
CC arch/x86/kernel/cpu/aperfmperf.o
CC arch/x86/mm/ioremap.o
CC arch/x86/kernel/cpu/cpuid-deps.o
CC arch/x86/kernel/fpu/init.o
CC kernel/power/console.o
CC arch/x86/kernel/cpu/proc.o
AS [M] arch/x86/crypto/camellia-aesni-avx-asm_64.o
MKCAP arch/x86/kernel/cpu/capflags.c
CC [M] arch/x86/crypto/camellia_aesni_avx_glue.o
CC mm/backing-dev.o
CC [M] arch/x86/kvm/i8259.o
CC [M] fs/ecryptfs/kthread.o
CC arch/x86/kernel/fpu/bugs.o
CC arch/x86/mm/extable.o
CC kernel/power/process.o
CC [M] fs/ecryptfs/debug.o
AS [M] arch/x86/crypto/cast5-avx-x86_64-asm_64.o
CC arch/x86/kernel/fpu/core.o
CC [M] arch/x86/crypto/cast5_avx_glue.o
CC arch/x86/kernel/cpu/powerflags.o
CC arch/x86/kernel/cpu/intel.o
CC mm/mm_init.o
CC [M] fs/ecryptfs/messaging.o
CC kernel/power/suspend.o
CC arch/x86/mm/pageattr.o
AS [M] arch/x86/crypto/cast6-avx-x86_64-asm_64.o
CC [M] arch/x86/crypto/cast6_avx_glue.o
CC arch/x86/kernel/cpu/intel_pconfig.o
CC arch/x86/kernel/fpu/regset.o
CC arch/x86/kernel/cpu/tsx.o
CC [M] fs/ecryptfs/miscdev.o
CC mm/mmu_context.o
CC [M] arch/x86/kvm/irq.o
AS [M] arch/x86/crypto/twofish-avx-x86_64-asm_64.o
CC arch/x86/kernel/cpu/amd.o
CC arch/x86/kernel/fpu/signal.o
CC [M] arch/x86/crypto/twofish_avx_glue.o
CC kernel/power/poweroff.o
AR kernel/power/built-in.a
CC kernel/printk/printk.o
LD [M] fs/ecryptfs/ecryptfs.o
CC arch/x86/kernel/fpu/xstate.o
CC [M] fs/efivarfs/inode.o
CC mm/percpu.o
AS [M] arch/x86/crypto/serpent-avx-x86_64-asm_64.o
CC [M] arch/x86/crypto/serpent_avx_glue.o
CC arch/x86/mm/mmap.o
CC [M] arch/x86/kvm/lapic.o
CC kernel/printk/printk_safe.o
CC [M] fs/efivarfs/file.o
CC kernel/printk/braille.o
CC arch/x86/mm/pat.o
CC arch/x86/mm/pgtable.o
AS [M] arch/x86/crypto/camellia-aesni-avx2-asm_64.o
CC [M] fs/efivarfs/super.o
AR arch/x86/kernel/fpu/built-in.a
AR arch/x86/kernel/kprobes/built-in.a
CC arch/x86/kernel/process_64.o
CC [M] arch/x86/crypto/camellia_aesni_avx2_glue.o
AR kernel/printk/built-in.a
CC arch/x86/mm/physaddr.o
CC kernel/rcu/update.o
CC mm/slab_common.o
LD [M] fs/efivarfs/efivarfs.o
AR fs/exofs/built-in.a
CC kernel/rcu/sync.o
CC fs/exportfs/expfs.o
AS [M] arch/x86/crypto/serpent-avx2-asm_64.o
CC kernel/rcu/srcutree.o
CC arch/x86/mm/setup_nx.o
CC arch/x86/kernel/signal.o
CC [M] arch/x86/kvm/i8254.o
AR fs/exportfs/built-in.a
CC kernel/rcu/tree.o
CC [M] fs/ext4/balloc.o
CC arch/x86/mm/tlb.o
CC mm/compaction.o
CC [M] fs/ext4/bitmap.o
CC arch/x86/kernel/traps.o
CC [M] arch/x86/kvm/ioapic.o
CC [M] fs/ext4/block_validity.o
CC arch/x86/mm/cpu_entry_area.o
CC [M] fs/ext4/dir.o
CC [M] arch/x86/crypto/serpent_avx2_glue.o
AS [M] arch/x86/crypto/morus1280-avx2-asm.o
CC [M] fs/ext4/ext4_jbd2.o
CC [M] arch/x86/kvm/irq_comm.o
CC arch/x86/kernel/idt.o
CC [M] arch/x86/crypto/morus1280-avx2-glue.o
CC arch/x86/mm/pat_rbtree.o
CC mm/vmacache.o
LD [M] arch/x86/crypto/aes-x86_64.o
LD [M] arch/x86/crypto/des3_ede-x86_64.o
LD [M] arch/x86/crypto/camellia-x86_64.o
LD [M] arch/x86/crypto/blowfish-x86_64.o
LD [M] arch/x86/crypto/twofish-x86_64.o
LD [M] arch/x86/crypto/twofish-x86_64-3way.o
LD [M] arch/x86/crypto/chacha20-x86_64.o
LD [M] arch/x86/crypto/serpent-sse2-x86_64.o
CC arch/x86/kernel/irq.o
LD [M] arch/x86/crypto/aesni-intel.o
CC kernel/rcu/rcu_segcblist.o
LD [M] arch/x86/crypto/ghash-clmulni-intel.o
CC [M] arch/x86/kvm/cpuid.o
LD [M] arch/x86/crypto/crc32c-intel.o
LD [M] arch/x86/crypto/sha1-ssse3.o
LD [M] arch/x86/crypto/crc32-pclmul.o
LD [M] arch/x86/crypto/sha256-ssse3.o
LD [M] arch/x86/crypto/sha512-ssse3.o
LD [M] arch/x86/crypto/crct10dif-pclmul.o
LD [M] arch/x86/crypto/poly1305-x86_64.o
LD [M] arch/x86/crypto/aegis128-aesni.o
CC [M] fs/ext4/extents.o
LD [M] arch/x86/crypto/aegis128l-aesni.o
LD [M] arch/x86/crypto/aegis256-aesni.o
LD [M] arch/x86/crypto/morus640-sse2.o
CC arch/x86/mm/hugetlbpage.o
LD [M] arch/x86/crypto/morus1280-sse2.o
LD [M] arch/x86/crypto/camellia-aesni-avx-x86_64.o
LD [M] arch/x86/crypto/cast5-avx-x86_64.o
CC mm/interval_tree.o
LD [M] arch/x86/crypto/cast6-avx-x86_64.o
LD [M] arch/x86/crypto/twofish-avx-x86_64.o
LD [M] arch/x86/crypto/serpent-avx-x86_64.o
LD [M] arch/x86/crypto/camellia-aesni-avx2.o
LD [M] arch/x86/crypto/serpent-avx2.o
AR kernel/rcu/built-in.a
LD [M] arch/x86/crypto/morus1280-avx2.o
CC kernel/sched/core.o
CC arch/x86/net/bpf_jit_comp.o
CC kernel/sched/loadavg.o
CC arch/x86/mm/dump_pagetables.o
CC mm/list_lru.o
CC arch/x86/kernel/irq_64.o
CC [M] arch/x86/kvm/pmu.o
CC arch/x86/kernel/dumpstack_64.o
AR arch/x86/net/built-in.a
AR arch/x86/platform/atom/built-in.a
AR arch/x86/platform/ce4100/built-in.a
CC arch/x86/platform/efi/quirks.o
CC arch/x86/mm/numa.o
CC arch/x86/platform/efi/efi.o
CC arch/x86/kernel/time.o
CC mm/workingset.o
CC arch/x86/kernel/ioport.o
CC [M] arch/x86/kvm/mtrr.o
CC mm/debug.o
CC [M] fs/ext4/extents_status.o
CC arch/x86/platform/efi/efi_64.o
AS arch/x86/platform/efi/efi_stub_64.o
CC arch/x86/platform/efi/early_printk.o
CC arch/x86/mm/numa_64.o
CC arch/x86/kernel/dumpstack.o
CC arch/x86/mm/amdtopology.o
AS arch/x86/platform/efi/efi_thunk_64.o
CC arch/x86/mm/srat.o
CC arch/x86/mm/numa_emulation.o
CC mm/gup.o
CC [M] fs/ext4/file.o
CC [M] arch/x86/kvm/hyperv.o
CC kernel/sched/clock.o
CC arch/x86/mm/mpx.o
CC arch/x86/mm/pkeys.o
AR arch/x86/platform/efi/built-in.a
AR arch/x86/platform/geode/built-in.a
CC arch/x86/mm/kaslr.o
AR arch/x86/platform/goldfish/built-in.a
CC arch/x86/platform/intel/iosf_mbi.o
CC [M] fs/ext4/fsmap.o
CC arch/x86/mm/pti.o
CC mm/highmem.o
CC mm/memory.o
CC mm/mincore.o
CC kernel/sched/cputime.o
AR arch/x86/platform/intel/built-in.a
AR arch/x86/platform/intel-mid/built-in.a
AR arch/x86/mm/built-in.a
AR arch/x86/platform/intel-quark/built-in.a
AS arch/x86/realmode/rm/header.o
CC [M] arch/x86/kvm/page_track.o
AR arch/x86/platform/iris/built-in.a
AS arch/x86/realmode/rm/trampoline_64.o
CC [M] fs/ext4/fsync.o
AR arch/x86/platform/olpc/built-in.a
AS arch/x86/realmode/rm/stack.o
AR arch/x86/platform/scx200/built-in.a
AS arch/x86/realmode/rm/reboot.o
CC arch/x86/platform/sfi/sfi.o
CC arch/x86/realmode/init.o
AS arch/x86/realmode/rm/wakeup_asm.o
CC arch/x86/realmode/rm/wakemain.o
CC arch/x86/realmode/rm/video-mode.o
AS arch/x86/realmode/rm/copy.o
AS arch/x86/realmode/rm/bioscall.o
CC arch/x86/realmode/rm/regs.o
AR arch/x86/platform/sfi/built-in.a
CC arch/x86/realmode/rm/video-vga.o
CC mm/mlock.o
CC mm/mmap.o
AR arch/x86/platform/ts5500/built-in.a
AR arch/x86/platform/uv/built-in.a
AR arch/x86/platform/built-in.a
CC arch/x86/realmode/rm/video-vesa.o
CC mm/mprotect.o
CC [M] fs/ext4/hash.o
CC [M] arch/x86/kvm/debugfs.o
CC arch/x86/kernel/cpu/centaur.o
CC kernel/sched/idle.o
CC arch/x86/realmode/rm/video-bios.o
CC [M] fs/ext4/ialloc.o
CC arch/x86/kernel/cpu/perfctr-watchdog.o
PASYMS arch/x86/realmode/rm/pasyms.h
LDS arch/x86/realmode/rm/realmode.lds
LD arch/x86/realmode/rm/realmode.elf
RELOCS arch/x86/realmode/rm/realmode.relocs
OBJCOPY arch/x86/realmode/rm/realmode.bin
CC [M] arch/x86/kvm/vmx.o
AS arch/x86/realmode/rmpiggy.o
CC mm/mremap.o
AR arch/x86/realmode/built-in.a
CC arch/x86/xen/enlighten.o
CC mm/msync.o
CC arch/x86/kernel/cpu/vmware.o
CC mm/page_vma_mapped.o
CC mm/pagewalk.o
CC arch/x86/kernel/cpu/hypervisor.o
CC [M] fs/ext4/indirect.o
CC mm/pgtable-generic.o
CC mm/rmap.o
CC kernel/sched/fair.o
CC arch/x86/xen/multicalls.o
CC arch/x86/kernel/cpu/mshyperv.o
CC mm/vmalloc.o
CC mm/process_vm_access.o
CC arch/x86/xen/mmu.o
CC mm/init-mm.o
CC [M] fs/ext4/inline.o
CC mm/nobootmem.o
CC mm/madvise.o
CC arch/x86/kernel/cpu/capflags.o
AR arch/x86/kernel/cpu/built-in.a
CC arch/x86/kernel/nmi.o
CC arch/x86/xen/irq.o
CC mm/memblock.o
CC mm/page_io.o
CC arch/x86/xen/time.o
CC mm/swap_state.o
CC [M] fs/ext4/inode.o
CC arch/x86/kernel/setup.o
CC mm/swapfile.o
AS arch/x86/xen/xen-asm.o
CC mm/swap_slots.o
CC mm/frontswap.o
AS arch/x86/xen/xen-asm_64.o
CC arch/x86/xen/grant-table.o
CC mm/zswap.o
CC mm/dmapool.o
CC arch/x86/xen/suspend.o
CC arch/x86/kernel/x86_init.o
CC mm/hugetlb.o
CC arch/x86/xen/platform-pci-unplug.o
CC mm/mempolicy.o
CC mm/sparse.o
CC kernel/sched/rt.o
CC arch/x86/kernel/i8259.o
CC arch/x86/xen/enlighten_hvm.o
CC mm/sparse-vmemmap.o
CC mm/mmu_notifier.o
CC [M] fs/ext4/ioctl.o
CC [M] arch/x86/kvm/pmu_intel.o
CC arch/x86/kernel/irqinit.o
CC mm/slub.o
CC kernel/sched/deadline.o
CC arch/x86/xen/mmu_hvm.o
CC mm/memory_hotplug.o
CC arch/x86/kernel/jump_label.o
CC [M] arch/x86/kvm/svm.o
CC [M] fs/ext4/mballoc.o
CC arch/x86/kernel/irq_work.o
CC arch/x86/xen/suspend_hvm.o
CC mm/memtest.o
CC mm/migrate.o
CC arch/x86/kernel/probe_roms.o
CC mm/huge_memory.o
CC arch/x86/xen/setup.o
CC mm/khugepaged.o
CC kernel/sched/wait.o
CC arch/x86/kernel/sys_x86_64.o
CC arch/x86/xen/apic.o
CC arch/x86/kernel/ksysfs.o
CC arch/x86/xen/pmu.o
CC kernel/sched/wait_bit.o
CC mm/page_counter.o
CC [M] fs/ext4/migrate.o
CC mm/memcontrol.o
CC arch/x86/kernel/bootflag.o
CC kernel/sched/swait.o
CC mm/vmpressure.o
CC arch/x86/xen/suspend_pv.o
CC arch/x86/kernel/e820.o
CC mm/swap_cgroup.o
CC [M] fs/ext4/mmp.o
CC mm/memory-failure.o
CC arch/x86/xen/p2m.o
CC mm/page_isolation.o
CC kernel/sched/completion.o
CC [M] fs/ext4/move_extent.o
CC kernel/sched/cpupri.o
CC arch/x86/kernel/pci-dma.o
CC mm/zpool.o
CC arch/x86/xen/enlighten_pv.o
CC [M] fs/ext4/namei.o
CC kernel/sched/cpudeadline.o
CC mm/zbud.o
CC mm/early_ioremap.o
CC arch/x86/kernel/quirks.o
CC kernel/sched/topology.o
CC kernel/sched/stop_task.o
CC mm/balloon_compaction.o
CC [M] fs/ext4/page-io.o
CC arch/x86/xen/mmu_pv.o
CC [M] arch/x86/kvm/pmu_amd.o
CC mm/page_ext.o
CC mm/frame_vector.o
CC kernel/sched/pelt.o
LD [M] arch/x86/kvm/kvm.o
CC arch/x86/kernel/topology.o
LD [M] arch/x86/kvm/kvm-intel.o
LD [M] arch/x86/kvm/kvm-amd.o
CC arch/x86/kernel/kdebugfs.o
CC mm/usercopy.o
CC [M] fs/ext4/readpage.o
CC mm/memfd.o
CC kernel/sched/autogroup.o
CC kernel/sched/stats.o
CC [M] fs/ext4/resize.o
CC arch/x86/kernel/alternative.o
CC [M] mm/zsmalloc.o
CC arch/x86/kernel/i8253.o
CC arch/x86/kernel/hw_breakpoint.o
CC arch/x86/xen/enlighten_pvh.o
CC [M] mm/z3fold.o
CC arch/x86/kernel/tsc.o
CC arch/x86/xen/smp.o
CC kernel/sched/debug.o
CC arch/x86/kernel/tsc_msr.o
CC arch/x86/kernel/io_delay.o
CC kernel/sched/cpuacct.o
CC arch/x86/xen/smp_pv.o
AR mm/built-in.a
CC arch/x86/kernel/rtc.o
CC arch/x86/kernel/pci-iommu_table.o
CC [M] fs/ext4/super.o
CC arch/x86/kernel/resource.o
AS arch/x86/kernel/irqflags.o
CC arch/x86/kernel/process.o
CC arch/x86/kernel/ptrace.o
CC arch/x86/kernel/step.o
CC arch/x86/xen/smp_hvm.o
CC kernel/sched/cpufreq.o
CC arch/x86/kernel/i8237.o
CC kernel/sched/cpufreq_schedutil.o
CC arch/x86/kernel/stacktrace.o
CC arch/x86/xen/spinlock.o
CC arch/x86/kernel/reboot.o
CC arch/x86/kernel/early-quirks.o
CC arch/x86/xen/vga.o
CC arch/x86/kernel/smp.o
CC arch/x86/kernel/smpboot.o
CC kernel/sched/membarrier.o
CC kernel/sched/isolation.o
CC arch/x86/xen/pci-swiotlb-xen.o
CC arch/x86/kernel/tsc_sync.o
CC arch/x86/kernel/setup_percpu.o
CC arch/x86/kernel/mpparse.o
CC arch/x86/kernel/trace_clock.o
CC arch/x86/kernel/module.o
CC arch/x86/xen/efi.o
CC [M] fs/ext4/symlink.o
CC arch/x86/kernel/doublefault.o
AS arch/x86/xen/xen-pvh.o
CC arch/x86/kernel/early_printk.o
CC arch/x86/kernel/hpet.o
CC arch/x86/kernel/amd_nb.o
AR kernel/sched/built-in.a
CC kernel/time/time.o
CC arch/x86/kernel/kvm.o
CC [M] fs/ext4/sysfs.o
CC [M] fs/ext4/xattr.o
CC arch/x86/kernel/kvmclock.o
CC [M] fs/ext4/xattr_trusted.o
CC arch/x86/kernel/paravirt.o
CC [M] fs/ext4/xattr_user.o
CC kernel/time/timer.o
AR arch/x86/xen/built-in.a
CC kernel/time/hrtimer.o
CC [M] fs/ext4/acl.o
CC arch/x86/kernel/paravirt_patch_64.o
CC arch/x86/kernel/paravirt-spinlocks.o
CC arch/x86/kernel/pvclock.o
CC [M] fs/ext4/xattr_security.o
CC arch/x86/kernel/pmem.o
CC arch/x86/kernel/pci-swiotlb.o
CC arch/x86/kernel/sysfb.o
CC arch/x86/kernel/sysfb_efi.o
CC arch/x86/kernel/perf_regs.o
CC arch/x86/kernel/itmt.o
CC arch/x86/kernel/umip.o
LD [M] fs/ext4/ext4.o
CC arch/x86/kernel/unwind_orc.o
CC arch/x86/kernel/audit_64.o
CC [M] fs/fat/cache.o
CC [M] fs/fat/dir.o
CC arch/x86/kernel/amd_gart_64.o
CC [M] fs/fat/fatent.o
CC arch/x86/kernel/aperture_64.o
CC arch/x86/kernel/pci-calgary_64.o
CC kernel/time/timekeeping.o
CC arch/x86/kernel/tce_64.o
CC [M] fs/fat/file.o
CC arch/x86/kernel/mmconf-fam10h_64.o
CC arch/x86/kernel/vsmp_64.o
AS arch/x86/kernel/head_64.o
CC arch/x86/kernel/head64.o
CC arch/x86/kernel/ebda.o
CC arch/x86/kernel/platform-quirks.o
CC [M] fs/fat/inode.o
LDS arch/x86/kernel/vmlinux.lds
CC [M] fs/fat/misc.o
AR arch/x86/kernel/built-in.a
CC [M] fs/fat/nfs.o
CC kernel/time/ntp.o
CC [M] fs/fat/namei_vfat.o
CC [M] fs/fat/namei_msdos.o
CC kernel/time/clocksource.o
CC kernel/time/jiffies.o
CC kernel/time/timer_list.o
CC kernel/time/timeconv.o
CC kernel/time/timecounter.o
LD [M] fs/fat/msdos.o
CC kernel/time/alarmtimer.o
CC kernel/time/posix-timers.o
CC kernel/time/posix-cpu-timers.o
LD [M] fs/fat/vfat.o
CC kernel/time/posix-clock.o
CC kernel/time/itimer.o
CC kernel/time/clockevents.o
CC kernel/time/tick-common.o
LD [M] fs/fat/fat.o
CC [M] fs/fscache/cache.o
CC [M] fs/fscache/cookie.o
CC kernel/time/tick-broadcast.o
CC kernel/time/tick-broadcast-hrtimer.o
CC kernel/time/tick-oneshot.o
CC kernel/time/tick-sched.o
CC [M] fs/fscache/fsdef.o
CC [M] fs/fscache/main.o
CC [M] fs/fscache/netfs.o
CC [M] fs/fscache/object.o
CC [M] fs/fscache/operation.o
CC [M] fs/fscache/page.o
CC [M] fs/fscache/proc.o
CC [M] fs/fscache/stats.o
CC [M] fs/fuse/dev.o
CC [M] fs/fuse/dir.o
AR kernel/time/built-in.a
CC kernel/fork.o
CC kernel/exec_domain.o
CC kernel/panic.o
CC kernel/cpu.o
CC kernel/exit.o
CC kernel/softirq.o
LD [M] fs/fscache/fscache.o
CC fs/hugetlbfs/inode.o
CC [M] fs/fuse/file.o
CC kernel/resource.o
CC kernel/sysctl.o
CC [M] fs/fuse/inode.o
AR fs/hugetlbfs/built-in.a
CC [M] fs/isofs/namei.o
CC [M] fs/isofs/inode.o
CC kernel/sysctl_binary.o
CC kernel/capability.o
CC [M] fs/isofs/dir.o
CC kernel/ptrace.o
CC [M] fs/isofs/util.o
CC [M] fs/isofs/rock.o
CC [M] fs/isofs/export.o
CC [M] fs/isofs/joliet.o
CC kernel/user.o
CC [M] fs/isofs/compress.o
CC kernel/signal.o
CC kernel/sys.o
CC [M] fs/fuse/control.o
CC kernel/umh.o
CC kernel/workqueue.o
CC kernel/pid.o
CC kernel/task_work.o
LD [M] fs/isofs/isofs.o
CC [M] fs/jbd2/transaction.o
CC [M] fs/fuse/xattr.o
CC [M] fs/jbd2/commit.o
CC kernel/extable.o
CC [M] fs/fuse/acl.o
CC kernel/params.o
CC kernel/kthread.o
CC [M] fs/fuse/cuse.o
CC [M] fs/jbd2/recovery.o
CC kernel/sys_ni.o
CC kernel/nsproxy.o
CC [M] fs/jbd2/checkpoint.o
CC kernel/notifier.o
CC kernel/ksysfs.o
LD [M] fs/fuse/fuse.o
CC fs/kernfs/mount.o
CC fs/kernfs/inode.o
CC kernel/cred.o
CC kernel/reboot.o
CC [M] fs/jbd2/revoke.o
CC kernel/async.o
CC kernel/range.o
CC fs/kernfs/dir.o
CC kernel/smpboot.o
CC kernel/ucount.o
AR arch/x86/built-in.a
CC kernel/kmod.o
CC [M] fs/jbd2/journal.o
CC kernel/groups.o
CC kernel/freezer.o
CC fs/kernfs/file.o
CC fs/nls/nls_base.o
CC fs/notify/dnotify/dnotify.o
CC [M] fs/nls/nls_cp437.o
CC kernel/stacktrace.o
CC kernel/futex.o
CC kernel/dma.o
AR fs/notify/dnotify/built-in.a
CC fs/notify/fanotify/fanotify.o
LD [M] fs/jbd2/jbd2.o
CC [M] fs/nls/nls_cp737.o
CC kernel/smp.o
CC kernel/module.o
CC kernel/module_signing.o
CC fs/kernfs/symlink.o
CC fs/notify/fanotify/fanotify_user.o
CC kernel/kallsyms.o
AR fs/kernfs/built-in.a
CC kernel/acct.o
CC [M] fs/nls/nls_cp775.o
AR fs/notify/fanotify/built-in.a
CC fs/notify/inotify/inotify_fsnotify.o
CC fs/notify/fsnotify.o
CC fs/notify/notification.o
CC fs/notify/inotify/inotify_user.o
CC fs/notify/group.o
CC kernel/utsname.o
CC [M] fs/nls/nls_cp850.o
CC fs/notify/mark.o
CC [M] fs/overlayfs/super.o
CC [M] fs/nls/nls_cp852.o
CC kernel/user_namespace.o
CC fs/notify/fdinfo.o
CC kernel/pid_namespace.o
AR fs/notify/inotify/built-in.a
CC kernel/stop_machine.o
CC kernel/audit.o
CC [M] fs/nls/nls_cp855.o
CC [M] fs/nls/nls_cp857.o
CC kernel/auditfilter.o
CC [M] fs/nls/nls_cp860.o
AR fs/notify/built-in.a
CC [M] fs/overlayfs/namei.o
CC [M] fs/nls/nls_cp861.o
CC [M] fs/nls/nls_cp862.o
CC [M] fs/nls/nls_cp863.o
CC kernel/auditsc.o
CC fs/proc/task_mmu.o
CC kernel/audit_watch.o
CC [M] fs/nls/nls_cp864.o
CC kernel/audit_fsnotify.o
CC [M] fs/nls/nls_cp865.o
CC [M] fs/overlayfs/util.o
CC [M] fs/nls/nls_cp866.o
CC [M] fs/nls/nls_cp869.o
CC kernel/audit_tree.o
CC kernel/hung_task.o
CC [M] fs/nls/nls_cp874.o
CC kernel/watchdog.o
CC fs/proc/inode.o
CC [M] fs/nls/nls_cp932.o
CC [M] fs/overlayfs/inode.o
CC [M] fs/nls/nls_euc-jp.o
CC kernel/watchdog_hld.o
CC [M] fs/nls/nls_cp936.o
CC [M] fs/nls/nls_cp949.o
CC fs/proc/root.o
CC kernel/seccomp.o
CC kernel/relay.o
CC [M] fs/nls/nls_cp950.o
CC kernel/utsname_sysctl.o
CC [M] fs/overlayfs/file.o
CC fs/pstore/inode.o
CC fs/pstore/platform.o
CC fs/proc/base.o
CC [M] fs/nls/nls_cp1250.o
CC kernel/delayacct.o
CC [M] fs/nls/nls_cp1251.o
CC [M] fs/pstore/ram.o
CC [M] fs/nls/nls_ascii.o
CC [M] fs/overlayfs/dir.o
CC [M] fs/nls/nls_iso8859-1.o
CC [M] fs/nls/nls_iso8859-2.o
CC kernel/taskstats.o
CC [M] fs/pstore/ram_core.o
CC kernel/tsacct.o
CC [M] fs/nls/nls_iso8859-3.o
CC kernel/elfcore.o
CC [M] fs/nls/nls_iso8859-4.o
AR fs/pstore/built-in.a
CC [M] fs/nls/nls_iso8859-5.o
CC [M] fs/nls/nls_iso8859-6.o
CC [M] fs/overlayfs/readdir.o
CC [M] fs/nls/nls_iso8859-7.o
CC kernel/irq_work.o
CC kernel/user-return-notifier.o
LD [M] fs/pstore/ramoops.o
CC fs/quota/dquot.o
CC [M] fs/nls/nls_cp1255.o
CC kernel/padata.o
CC [M] fs/nls/nls_iso8859-9.o
CC [M] fs/nls/nls_iso8859-13.o
CC fs/proc/generic.o
CC [M] fs/nls/nls_iso8859-14.o
CC [M] fs/nls/nls_iso8859-15.o
CC [M] fs/nls/nls_koi8-r.o
CC kernel/jump_label.o
CC kernel/iomem.o
CC [M] fs/nls/nls_koi8-u.o
CC kernel/memremap.o
CC [M] fs/overlayfs/copy_up.o
CC fs/quota/quota.o
CC kernel/rseq.o
CC [M] fs/nls/nls_koi8-ru.o
CC fs/proc/array.o
CC [M] fs/nls/nls_utf8.o
CC fs/quota/kqid.o
CC fs/proc/fd.o
CC [M] fs/overlayfs/export.o
CC [M] fs/nls/mac-celtic.o
CC [M] fs/nls/mac-centeuro.o
AR kernel/built-in.a
CC [M] fs/nls/mac-croatian.o
CC fs/quota/netlink.o
CC [M] fs/nls/mac-cyrillic.o
CC [M] fs/nls/mac-gaelic.o
CC fs/proc/proc_tty.o
CC [M] fs/nls/mac-greek.o
CC [M] fs/quota/quota_v1.o
LD [M] fs/overlayfs/overlay.o
CC fs/proc/cmdline.o
CC [M] fs/nls/mac-iceland.o
CC fs/ramfs/inode.o
CC [M] fs/nls/mac-inuit.o
CC [M] fs/nls/mac-romanian.o
CC [M] fs/nls/mac-roman.o
CC fs/proc/consoles.o
CC fs/proc/cpuinfo.o
CC [M] fs/nls/mac-turkish.o
CC [M] fs/quota/quota_v2.o
AR fs/nls/built-in.a
CC [M] fs/quota/quota_tree.o
CC fs/proc/devices.o
AR fs/quota/built-in.a
CC fs/proc/interrupts.o
CC fs/ramfs/file-mmu.o
CC fs/proc/loadavg.o
CC [M] fs/squashfs/block.o
CC fs/proc/meminfo.o
CC [M] fs/squashfs/cache.o
CC [M] fs/squashfs/dir.o
CC fs/proc/stat.o
CC fs/proc/uptime.o
AR fs/ramfs/built-in.a
CC fs/sysfs/file.o
CC fs/proc/util.o
CC fs/sysfs/dir.o
CC fs/proc/version.o
CC [M] fs/udf/balloc.o
CC [M] fs/squashfs/export.o
CC [M] fs/udf/dir.o
CC [M] fs/udf/file.o
CC fs/proc/softirqs.o
CC fs/proc/namespaces.o
CC fs/proc/self.o
CC [M] fs/udf/ialloc.o
CC [M] fs/squashfs/file.o
CC [M] fs/udf/inode.o
CC fs/sysfs/symlink.o
CC fs/proc/thread_self.o
CC [M] fs/udf/lowlevel.o
CC fs/proc/proc_sysctl.o
CC [M] fs/udf/namei.o
CC [M] fs/udf/partition.o
CC fs/proc/proc_net.o
CC [M] fs/squashfs/fragment.o
CC [M] fs/udf/super.o
CC fs/proc/kmsg.o
CC [M] fs/squashfs/id.o
CC fs/sysfs/mount.o
CC [M] fs/udf/truncate.o
CC [M] fs/udf/symlink.o
CC [M] fs/squashfs/inode.o
CC [M] fs/udf/directory.o
CC [M] fs/udf/misc.o
CC fs/sysfs/group.o
CC [M] fs/udf/udftime.o
CC [M] fs/udf/unicode.o
AR fs/proc/built-in.a
CC [M] fs/squashfs/namei.o
CC fs/open.o
CC [M] fs/squashfs/super.o
CC [M] fs/squashfs/symlink.o
CC [M] fs/squashfs/decompressor.o
CC [M] fs/squashfs/file_cache.o
CC [M] fs/squashfs/decompressor_single.o
AR fs/sysfs/built-in.a
CC [M] fs/squashfs/xattr.o
LD [M] fs/udf/udf.o
CC fs/read_write.o
CC fs/file_table.o
CC [M] fs/squashfs/xattr_id.o
CC [M] fs/squashfs/lz4_wrapper.o
CC [M] fs/squashfs/lzo_wrapper.o
CC [M] fs/squashfs/xz_wrapper.o
CC [M] fs/squashfs/zlib_wrapper.o
CC [M] fs/squashfs/zstd_wrapper.o
CC fs/super.o
CC fs/char_dev.o
CC fs/stat.o
CC fs/exec.o
CC fs/pipe.o
CC fs/namei.o
LD [M] fs/squashfs/squashfs.o
CC fs/fcntl.o
CC fs/ioctl.o
CC fs/readdir.o
CC fs/select.o
CC fs/dcache.o
CC fs/inode.o
CC fs/attr.o
CC fs/bad_inode.o
CC fs/file.o
CC fs/filesystems.o
CC fs/namespace.o
CC fs/seq_file.o
CC fs/xattr.o
CC fs/libfs.o
CC fs/fs-writeback.o
CC fs/pnode.o
CC fs/splice.o
CC fs/sync.o
CC fs/utimes.o
CC fs/d_path.o
CC fs/stack.o
CC fs/fs_struct.o
CC fs/statfs.o
CC fs/fs_pin.o
CC fs/nsfs.o
CC fs/buffer.o
CC fs/block_dev.o
CC fs/direct-io.o
CC fs/mpage.o
CC fs/proc_namespace.o
CC fs/eventpoll.o
CC fs/anon_inodes.o
CC fs/signalfd.o
CC fs/timerfd.o
CC fs/eventfd.o
CC fs/dax.o
CC fs/locks.o
CC fs/binfmt_script.o
CC fs/binfmt_elf.o
CC fs/posix_acl.o
CC fs/drop_caches.o
CC fs/fhandle.o
CC fs/iomap.o
CC [M] fs/mbcache.o
AR fs/built-in.a
make[2]: *** [debian/rules:4: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
make[1]: *** [scripts/package/Makefile:75: deb-pkg] Error 2
make: *** [Makefile:1368: deb-pkg] Error 2
make: Leaving directory ‘/var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122’

May you help me to locate the Makefile and debian/rules files?

Are the files in /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/ where group is root and access is read-only. So perhaps CHMOD it 777 locate the files?

Thanks,
sudobash

5

The Makefile and debian/rules are from the upstream linux tarball. Posting these files here won’t move us any closer to a solution.

Either you or @madaidan can fix this or it probably won’t be fixed for a long time.

If you want to fix this: then “unWhonix”. Or “unScript”. Study the download and compile script. The xtrace already gives a pretty good idea what the scripts are doing. Manually reproduce. From a conceptual viewpoint, these scripts are actually doing “not much”. Download kernel source, sha256 verify kernel source code, download hardened kernel patch.

kernel_sha256sums_file="https://kernel.org/pub/linux/kernel/v4.x/sha256sums.asc"
kernel_source_signature="https://kernel.org/pub/linux/kernel/v4.x/linux-${version}.tar.sign"
kernel_source_archive="https://kernel.org/pub/linux/kernel/v4.x/linux-${version}.tar.xz"
linux_hardened_patch_signature="https://github.com/anthraxx/linux-hardened/releases/download/${version}.a/linux-hardened-${version}.a.patch.sig"
linux_hardened_patch_archive="https://github.com/anthraxx/linux-hardened/releases/download/${version}.a/linux-hardened-${version}.a.patch"

Apply the patch, add the hardened kernel config (as invented by @madaidan), finally run make deb-pkg.

6

The actual error extracted from the output you posted is:

make[4]: *** No rule to make target ‘debian/certs/debian-uefi-certs.pem’, needed by ‘certs/x509_certificate_list’. Stop.

Try editing /var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122/.config and replace:

CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem"

with:

CONFIG_SYSTEM_TRUSTED_KEYS=""
2 Likes
7

Thank you for the support as this worked.

My results below:

dpkg-deb: building package ‘linux-headers-4.19.122’ in ‘…/linux-headers-4.19.122_4.19.122-1_amd64.deb’.
dpkg-deb: building package ‘linux-libc-dev’ in ‘…/linux-libc-dev_4.19.122-1_amd64.deb’.
dpkg-deb: building package ‘linux-image-4.19.122’ in ‘…/linux-image-4.19.122_4.19.122-1_amd64.deb’.
dpkg-deb: building package ‘linux-image-4.19.122-dbg’ in ‘…/linux-image-4.19.122-dbg_4.19.122-1_amd64.deb’.
dpkg-genbuildinfo
dpkg-genchanges >…/linux-4.19.122_4.19.122-1_amd64.changes
dpkg-genchanges: info: including full source code in upload
dpkg-source -i.git --after-build .
dpkg-buildpackage: info: full upload (original source is included)
make: Leaving directory ‘/var/lib/hardened-kernel/hardened-host-kernel/linux-4.19.122’

  • ls /var/lib/hardened-kernel/hardened-host-kernel
    linux-4.19.122
    linux-4.19.122_4.19.122-1_amd64.buildinfo
    linux-4.19.122_4.19.122-1_amd64.changes
    linux-4.19.122_4.19.122-1.diff.gz
    linux-4.19.122_4.19.122-1.dsc
    linux-4.19.122_4.19.122.orig.tar.gz
    linux-headers-4.19.122_4.19.122-1_amd64.deb
    linux-image-4.19.122_4.19.122-1_amd64.deb
    linux-image-4.19.122-dbg_4.19.122-1_amd64.deb
    linux-libc-dev_4.19.122-1_amd64.deb

Have the debs above already been installed or should I install them? If I should install them, how do I do that?

I assume sudo apt install /var/lib/hardened-kernel/hardened-host-kernel/linux-image-4.19.122_4.19.122-1_amd64.deb

Is this the proper way for this task?

1 Like
8

Thanks. Should be fixed by default with this:

They’re not already installed. You must install them with:

sudo dpkg -i /var/lib/hardened-kernel/hardened-host-kernel/linux-libc-dev_4.19.122-1_amd64.deb
sudo dpkg -i /var/lib/hardened-kernel/hardened-host-kernel/linux-headers-4.19.122_4.19.122-1_amd64.deb
sudo dpkg -i /var/lib/hardened-kernel/hardened-host-kernel/linux-image-4.19.122_4.19.122-1_amd64.deb
1 Like
9

I installed all 3 packages per your order and rebooted. I attempted to install LKRG to secure the OS even more as follows:

sudo apt-get install lkrg linux-headers-amd64
Reading package lists… Done
Building dependency tree
Reading state information… Done
linux-headers-amd64 is already the newest version (4.19+105+deb10u8).
lkrg is already the newest version (0:0.8.1.0-1).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
2 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up lkrg-dkms (0.8.1.0-1) …
Removing old lkrg-0.8.1 DKMS files…

Deleting module version: 0.8.1
completely from the DKMS tree.

Done.
Loading new lkrg-0.8.1 DKMS files…
Building for 4.19.122
Building initial module for 4.19.122
Error! Bad return status for module build on kernel: 4.19.122 (x86_64)
Consult /var/lib/dkms/lkrg/0.8.1/build/make.log for more information.
dpkg: error processing package lkrg-dkms (–configure):
installed lkrg-dkms package post-installation script subprocess returned error exit status 10
dpkg: dependency problems prevent configuration of lkrg:
lkrg depends on lkrg-dkms; however:
Package lkrg-dkms is not configured yet.

dpkg: error processing package lkrg (–configure):
dependency problems - leaving unconfigured
Errors were encountered while processing:
lkrg-dkms
lkrg
E: Sub-process /usr/bin/dpkg returned an error code (1)

Then I looked at the log to see the errors:

sudo geany /var/lib/dkms/lkrg/0.8.1/build/make.log

Results in:

DKMS make.log for lkrg-0.8.1 for kernel 4.19.122 (x86_64)
Mon 14 Dec 2020 02:56:16 AM UTC
make -C /lib/modules/4.19.122/build M=/var/lib/dkms/lkrg/0.8.1/build modules
make[1]: Entering directory ‘/usr/src/linux-headers-4.19.122’
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/ksyms/p_resolve_ksym.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/hashing/p_lkrg_fast_hash.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/comm_channel/p_comm_channel.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/integrity_timer/p_integrity_timer.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/kmod/p_kmod.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/CPU.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_x86_metadata.o
CC [M] /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_switch_idt/p_switch_idt.o
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/ksyms/p_resolve_ksym.c:19:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/ksyms/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/comm_channel/p_comm_channel.c:18:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/comm_channel/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/hashing/p_lkrg_fast_hash.c:22:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/hashing/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/integrity_timer/p_integrity_timer.c:18:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/integrity_timer/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/kmod/p_kmod.c:22:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/kmod/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/CPU.c:44:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/database/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/hashing/p_lkrg_fast_hash.o] Error 1
make[2]: *** Waiting for unfinished jobs…
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/ksyms/p_resolve_ksym.o] Error 1
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_switch_idt/p_switch_idt.c:24:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_switch_idt/…/…/…/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
In file included from /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_x86_metadata.c:29:
/var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/…/…/…/…/p_lkrg_main.h:239:3: error: #error “LKRG requires CONFIG_KPROBES”
#error “LKRG requires CONFIG_KPROBES”
^~~~~
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/CPU.o] Error 1
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/kmod/p_kmod.o] Error 1
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/comm_channel/p_comm_channel.o] Error 1
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_switch_idt/p_switch_idt.o] Error 1
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/database/arch/x86/p_x86_metadata.o] Error 1
make[2]: *** [scripts/Makefile.build:303: /var/lib/dkms/lkrg/0.8.1/build/src/modules/integrity_timer/p_integrity_timer.o] Error 1
make[1]: *** [Makefile:1525: module/var/lib/dkms/lkrg/0.8.1/build] Error 2
make[1]: Leaving directory ‘/usr/src/linux-headers-4.19.122’
make: *** [Makefile:98: all] Error 2

The main error seems to be: #error “LKRG requires CONFIG_KPROBES”

How may I fix this?

Would this Debian Kicksecure OS be proper with the hardened kernel without LKRG?

Update - Doing some research I found this pertaining to KPROBES - GitHub - lttng/lttng-modules: This repo is a mirror of the official lttng-modules git found at git://git.lttng.org/lttng-modules.git. The LTTng modules provide Linux kernel tracing capability to the LTTng 2.x tracer toolset. - Is this what needs to be done with the custom kernel package?

I noticed your config file displayed CONFIG_KPROBES is not set in which I changed it to CONFIG_KPROBES=y and I’m recompling the kernel. Was this the proper course of action?

Thanks,
Sudobash

Another Update - That semi worked I think with results below:

sudo apt-get install lkrg linux-headers-amd64
Reading package lists… Done
Building dependency tree
Reading state information… Done
linux-headers-amd64 is already the newest version (4.19+105+deb10u8).
lkrg is already the newest version (0:0.8.1.0-1).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
2 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up lkrg-dkms (0.8.1.0-1) …
Removing old lkrg-0.8.1 DKMS files…

Deleting module version: 0.8.1
completely from the DKMS tree.

Done.
Loading new lkrg-0.8.1 DKMS files…
Building for 4.19.122
Building initial module for 4.19.122
Done.

p_lkrg.ko:
Running module version sanity check.

  • Original module
    • No original module exists within this kernel
  • Installation
    • Installing to /lib/modules/4.19.122/updates/dkms/

depmod…

DKMS: install completed.
Created symlink /etc/systemd/system/multi-user.target.wants/lkrg-dkms.service → /lib/systemd/system/lkrg-dkms.service.
Job for lkrg-dkms.service failed because the control process exited with error code.
See “systemctl status lkrg-dkms.service” and “journalctl -xe” for details.
Setting up lkrg (0.8.1.0-1) …

THEN

sudo apt-get reinstall lkrg linux-headers-amd64
Reading package lists… Done
Building dependency tree
Reading state information… Done
0 upgraded, 0 newly installed, 2 reinstalled, 0 to remove and 1 not upgraded.
Need to get 0 B/13.9 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database … 121387 files and directories currently installed.)
Preparing to unpack …/linux-headers-amd64_4.19+105+deb10u8_amd64.deb …
Unpacking linux-headers-amd64 (4.19+105+deb10u8) over (4.19+105+deb10u8) …
Preparing to unpack …/lkrg_0%3a0.8.1.0-1_amd64.deb …
Unpacking lkrg (0.8.1.0-1) over (0.8.1.0-1) …
Setting up linux-headers-amd64 (4.19+105+deb10u8) …
Setting up lkrg (0.8.1.0-1) …

Checking to see if LKRG is running:

sudo journalctl -b | grep lkrg
Dec 14 05:41:33 os lkrg-loader[706]: INFO: Running 'modprobe p_lkrg ’ …
Dec 14 05:41:33 os kernel: p_lkrg: loading out-of-tree module taints kernel.
Dec 14 05:41:33 os kernel: p_lkrg: module verification failed: signature and/or required key missing - tainting kernel
Dec 14 05:41:33 os kernel: [p_lkrg] Loading LKRG…
Dec 14 05:41:33 os kernel: [p_lkrg] System does NOT support SMEP. LKRG can’t enforce SMEP validation :frowning:
Dec 14 05:41:33 os kernel: [p_lkrg] System does NOT support SMAP. LKRG can’t enforce SMAP validation :frowning:
Dec 14 05:41:34 os kernel: [p_lkrg] 6/23 UMH paths are allowed…
Dec 14 05:41:34 os kernel: [p_lkrg] [kretprobe] register_kretprobe() for <ovl_create_or_link> failed! [err=-22]
Dec 14 05:41:34 os kernel: [p_lkrg] Trying to find ISRA / CONSTPROP name for <ovl_create_or_link>
Dec 14 05:41:34 os kernel: [p_lkrg] [kretprobe] register_kretprobe() for ovl_create_or_link failed and ISRA / CONSTPROP version not found!
Dec 14 05:41:34 os kernel: [p_lkrg] Can’t hook ‘ovl_create_or_link’ function. This is expected if you are not using OverlayFS.
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:8 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:9 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:10 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:11 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:12 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:13 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:14 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:15 is offline !!!
Dec 14 05:41:34 os kernel: [p_lkrg] LKRG initialized successfully!
Dec 14 05:41:34 os lkrg-loader[706]: INFO: Done running modprobe, ok.

sudo sysctl -a | grep lkrg
lkrg.block_modules = 0
lkrg.heartbeat = 0
lkrg.hide = 0
lkrg.interval = 15
lkrg.kint_enforce = 2
lkrg.kint_validate = 3
lkrg.log_level = 3
lkrg.msr_validate = 0
lkrg.pcfi_enforce = 1
lkrg.pcfi_validate = 2
lkrg.pint_enforce = 1
lkrg.pint_validate = 2
lkrg.profile_enforce = 2
lkrg.profile_validate = 3
lkrg.smap_enforce = 0
lkrg.smap_validate = 0
lkrg.smep_enforce = 0
lkrg.smep_validate = 0
lkrg.trigger = 0
lkrg.umh_enforce = 1
lkrg.umh_validate = 1

1 Like
10

Exercise: make LKRG work with newer, non-hardened Linux version first.

11

Ran reinstall of LKRG with Kernel 4.19.0-13-amd64 installed (Newest Non-Hardened Kernel)

Preparing to unpack …/lkrg_0%3a0.8.1.0-1_amd64.deb …
Unpacking lkrg (0.8.1.0-1) over (0.8.1.0-1) …
Preparing to unpack …/lkrg-dkms_0%3a0.8.1.0-1_amd64.deb …

-------- Uninstall Beginning --------
Module: lkrg
Version: 0.8.1
Kernel: 4.19.0-13-amd64 (x86_64)

Status: Before uninstall, this module version was ACTIVE on this kernel.

p_lkrg.ko:

  • Uninstallation
    • Deleting from: /lib/modules/4.19.0-13-amd64/updates/dkms/
  • Original module
    • No original module was found for this module on this kernel.
    • Use the dkms install command to reinstall any previous module version.

depmod…

DKMS: uninstall completed.

-------- Uninstall Beginning --------
Module: lkrg
Version: 0.8.1
Kernel: 4.19.122 (x86_64)

Status: Before uninstall, this module version was ACTIVE on this kernel.

p_lkrg.ko:

  • Uninstallation
    • Deleting from: /lib/modules/4.19.122/updates/dkms/
  • Original module
    • No original module was found for this module on this kernel.
    • Use the dkms install command to reinstall any previous module version.

depmod…

DKMS: uninstall completed.

Deleting module version: 0.8.1
completely from the DKMS tree.

Done.
Unpacking lkrg-dkms (0.8.1.0-1) over (0.8.1.0-1) …
Setting up lkrg-dkms (0.8.1.0-1) …
Loading new lkrg-0.8.1 DKMS files…
Building for 4.19.0-13-amd64 4.19.122
Building initial module for 4.19.0-13-amd64
Done.

p_lkrg.ko:
Running module version sanity check.

  • Original module
    • No original module exists within this kernel
  • Installation
    • Installing to /lib/modules/4.19.0-13-amd64/updates/dkms/

depmod…

DKMS: install completed.
Building initial module for 4.19.122
Done.

p_lkrg.ko:
Running module version sanity check.

  • Original module
    • No original module exists within this kernel
  • Installation
    • Installing to /lib/modules/4.19.122/updates/dkms/

depmod…

DKMS: install completed.
Setting up lkrg (0.8.1.0-1) …

sudo sysctl -a | grep lkrg
[sudo] password for user:
lkrg.block_modules = 0
lkrg.heartbeat = 0
lkrg.hide = 0
lkrg.interval = 15
lkrg.kint_enforce = 2
lkrg.kint_validate = 3
lkrg.log_level = 3
lkrg.msr_validate = 0
lkrg.pcfi_enforce = 1
lkrg.pcfi_validate = 2
lkrg.pint_enforce = 1
lkrg.pint_validate = 2
lkrg.profile_enforce = 2
lkrg.profile_validate = 3
lkrg.smap_enforce = 0
lkrg.smap_validate = 0
lkrg.smep_enforce = 0
lkrg.smep_validate = 0
lkrg.trigger = 0
lkrg.umh_enforce = 1
lkrg.umh_validate = 1

sudo journalctl -b | grep lkrg
[sudo] password for user:
Dec 15 07:28:15 os lkrg-loader[764]: INFO: Running 'modprobe p_lkrg ’ …
Dec 15 07:28:15 os kernel: p_lkrg: loading out-of-tree module taints kernel.
Dec 15 07:28:15 os kernel: p_lkrg: module verification failed: signature and/or required key missing - tainting kernel
Dec 15 07:28:15 os kernel: [p_lkrg] Loading LKRG…
Dec 15 07:28:15 os kernel: [p_lkrg] System does NOT support SMEP. LKRG can’t enforce SMEP validation :frowning:
Dec 15 07:28:15 os kernel: [p_lkrg] System does NOT support SMAP. LKRG can’t enforce SMAP validation :frowning:
Dec 15 07:28:16 os kernel: [p_lkrg] 6/23 UMH paths are allowed…
Dec 15 07:28:16 os kernel: [p_lkrg] [kretprobe] register_kretprobe() for <ovl_create_or_link> failed! [err=-22]
Dec 15 07:28:16 os kernel: [p_lkrg] Trying to find ISRA / CONSTPROP name for <ovl_create_or_link>
Dec 15 07:28:16 os kernel: [p_lkrg] [kretprobe] register_kretprobe() for ovl_create_or_link failed and ISRA / CONSTPROP version not found!
Dec 15 07:28:16 os kernel: [p_lkrg] Can’t hook ‘ovl_create_or_link’ function. This is expected if you are not using OverlayFS.
Dec 15 07:28:16 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:8 is offline !!!
Dec 15 07:28:16 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:9 is offline !!!
Dec 15 07:28:16 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:10 is offline !!!
Dec 15 07:28:16 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:11 is offline !!!
Dec 15 07:28:16 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:12 is offline !!!
Dec 15 07:28:16 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:13 is offline !!!
Dec 15 07:28:16 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:14 is offline !!!
Dec 15 07:28:16 os kernel: [p_lkrg] !!! WARNING !!! CPU ID:15 is offline !!!
Dec 15 07:28:16 os kernel: [p_lkrg] LKRG initialized successfully!
Dec 15 07:28:16 os lkrg-loader[764]: INFO: Done running modprobe, ok.

I assume LKRG works both with the newest non-hardened kernel as well as the hardened-kernel generated from the script.

Is it safe to conclude that the hardened-kernel with LKRG is the most secure setup?

Perhaps add KVM now and see performance with the hardened-kernel and LKRG. I may test apparmor-everything stacked on top for even more security?

Thanks,
sudobash

12

It’s not a newer Linux kernel. Buster backports has 5.9.11-1.

There is an issue with LKRG and newer Linux kernels. Unrelated to Whonix. Same issue on Debian. Fixed in LKRG git master. But no new release yet. You could try that. Quote Linux Kernel Runtime Guard (LKRG) for Debian, Whonix, Qubes, Kicksecure

(I am waiting for new LKRG release until I upgrade the LKRG Debian package.)

Note that LKRG versioning is based on upstream’s git master branch intention to remain in the “prerelease” stage. Quote Adam Zabrocki lkrg-users - Re: LKRG Debian 10 buster / Debian packaging [archive] We’re trying to keep master branch stable and let’s say in “prerelease” stage :slight_smile:

I am not sure that’s related.

13

A post was split to a new topic: Hardened Kernel vs LKRG

14

Created dedicated forum thread for the issue of combining hardened-kernel with LKRG. Moved posts there.

1 Like
15

There are some boot errors after installing the hardened-kernel listed here:

Failed to set up async io, using sync io.
Volume group “os” not found
Cannot process volume group os
Failed to set up async io, using sync io.
Volume group “os” not found
Cannot process volume group os
/dev/sdd: open failed: No medium found
/dev/sde: open failed: No medium found
/dev/sdf: open failed: No medium found
/dev/sdg: open failed: No medium found
Failed to set up async io, using sync io.
/dev/sdd: open failed: No medium found
/dev/sde: open failed: No medium found
/dev/sdf: open failed: No medium found
/dev/sdg: open failed: No medium found
Failed to set up async io, using sync io.
/dev/mapper/os-root: clean, 279771/13590528 files, 6961832/54358016 blocks

Failed to set up async io, using sync io is the error whereas with the stock kernel, this error does not appear nor these errors:

sysctl: error: ‘kernel.core_pattern’ is an unknown key
sysctl: error: ‘kernel.unprivileged_bpf_disabled’ is an unknown key
sysctl: error: ‘kernel.kexec_load_disabled’ is an unknown key
sysctl: error: ‘vm.mmap_rnd_compat_bits’ is an unknown key
sysctl: error: ‘net.ipv6.conf.all.accept_redirects’ is an unknown key
sysctl: error: ‘net.ipv6.conf.default.accept_redirects’ is an unknown key
sysctl: error: ‘net.ipv6.conf.all.accept_redirects’ is an unknown key
sysctl: error: ‘net.ipv6.conf.default.accept_redirects’ is an unknown key
sysctl: error: ‘net.ipv6.conf.all.accept_source_route’ is an unknown key
sysctl: error: ‘net.ipv6.conf.default.accept_source_route’ is an unknown key
sysctl: error: ‘net.ipv6.conf.all.accept_ra’ is an unknown key
sysctl: error: ‘net.ipv6.conf.default.accept_ra’ is an unknown key

It’s safe to assume that the unknown keys are missing because the hardened-kernel has disabled these.

Thanks,
sudobash

16

Can you determine what is causing this? We disable kernel asynchronous I/O since it’s pretty terrible.

These can be safely ignored. We compile out some functionality entirely (such as kexec or core dumps) rather than switching sysctls for them.

17

I installed the hardened kernel into the workstation VM that has debian 11 bullseye and after the grub menu, it just stays black and I can’t access terminal. I made a script to install the kernel:

#!/bin/bash

Hardened Kernel install for VM with LKRG support

sudo bash /usr/share/hardened-kernel/build --vm
sudo dpkg -i /var/lib/hardened-kernel/hardened-vm-kernel/linux-libc-dev_4.19.122-1_amd64.deb
sudo dpkg -i /var/lib/hardened-kernel/hardened-vm-kernel/linux-headers-4.19.122_4.19.122-1_amd64.deb
sudo dpkg -i /var/lib/hardened-kernel/hardened-vm-kernel/linux-image-4.19.122_4.19.122-1_amd64.deb

Is there a KVM setting or an issue with debian 11 that doesn’t allow the OS to boot?