The wiki instructions will need to preempt questions that grsec newbies (like me) will bring up in the future, so the same Qs arenât answered over and over:
A new grsecurity patch has been released. How do I build with the new patch in my coldkernel TemplateVM?
This is not clear to me and Coldhak just says: run âmakeâ (presumably make qubes-guest) with the new patch. Thatâs not gonna cut it for usability of the masses.
I want to run my grsec AppVMs as usbVM, netVM, firewallVM and/or the proxyVM, but they wonât connect or allow USB connections. What do I do?
It seems that config changes must be made to the coldkernel, so that more drivers are added to the kernelâs .config file BEFORE the step of running âmake qubes-guestâ (untested):
CONFIG_XEN_BLKDEV_BACKEND=m
CONFIG_XEN_NETDEV_BACKEND=m
Iâd be interested if anybody else has tried and been successful with this for networking and USB. If so, it should be recommended for experimenters.
I want to install the new grsec kernel version X.X.XX in my cold-kernel template, how do I do this?
There needs to be some general advice around how often the kernel should be updated. Qubes doesnât update their base kernel for months at a time, but new grsec kernels seem to come out about every two weeks. It would be exhausting to build every time there is a new release.
Further, users will need to know which exact steps they are following to do this:
- clone steps again?
- just cd coldkernel, git-verify and git-checkout commands followed by running make-qubes-guest and installation steps?
- deleting old configs, files and kernels first?
etc.