Ignoring the apt during apt issue [1], I would like to make progress making this accessible to users. Currently we have no script / automation / documentation / awareness.
How to solve the following…?
~/kernel/linux-source-4.19 $ make deb-pkg
LEX scripts/kconfig/zconf.lex.c
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf --syncconfig Kconfig
***
*** Configuration file ".config" not found!
***
*** Please run some configurator (e.g. "make oldconfig" or
*** "make menuconfig" or "make xconfig").
***
make[2]: *** [scripts/kconfig/Makefile:69: syncconfig] Error 1
make[1]: *** [Makefile:533: syncconfig] Error 2
Makefile:620: include/config/auto.conf.cmd: No such file or directory
make: *** [Makefile:632: include/config/auto.conf.cmd] Error 2
What’s the solution to make this non-interactive (no user terminal input required)?
make defconfig?
Needs kernel source or gcc from backports? kernel source might be quite doable. I don’t think that would cause any conflicts. Otherwise mixing with backports could lead to issues. Not a great default choice for a distribution default.
But even gcc from backports would not be a blocker. I could script the following:
set up a chroot (based on buster, buster-backports, or whatever) and build the kernel inside the chroot. Perhaps even using cowbuilder.
If we want to create something amazing here, we might have to bite the bullet using backports, chroot, whatnot. Needless to say, ideally we could use linux-hardened.
To solve [1] (apt during apt) we might introduce a wrapper or teach users to use a tool other than apt if they want a hardened kernel. (More and more wrappers. Stream isolation (uwt), rapt (restricted APT) and now kernel upgrade.)
To make some progress I’ve added the build script.
Could you try it please? It is still primitive. But it can be improved over time. Soon I can do the proper packaging. Install build to /usr/bin/hardened-kernel-build? Then this pacakge could be added to repository and users could manually run /usr/bin/hardened-kernel-build. Next step would be /usr/bin/hardened-kernel-install-and-build? Not a good name. And after this got more usable, the last step would be sorting out [1].
Instead of using pushd and popd, you can use tar’s -C option, patch’s -d option and make’s -C option.
e.g.
tar -xaf "/usr/src/linux-source-${version}.tar.xz" -C "$working_folder"
xzcat "/usr/src/linux-patch-${version}-rt.patch.xz" | patch -p1 -d "$source_folder"
make deb-pkg -C "$source_folder"
make defconfig isn’t needed if the full config is already at .config.
You should use make deb-pkg -j $(nproc) so the compilation uses all available cores to speed up.
We might also want to use patch’s -s option to hide output unless it’s an error.
Users don’t need to manually run that. That can be done during package installation. Actually installing the kernel is the only problem.
To get rid of this problem entirely, we can replace make deb-pkg with just make and sort out the kernel images and bootloader configuration ourselves without needing to use the .debs.
There is one prompt which requires interactive entry.
+ make deb-pkg -j 8 -C /home/user/kernel/linux-source-4.19/
make: Entering directory '/home/user/kernel/linux-source-4.19'
HOSTCC scripts/basic/fixdep
HOSTCC scripts/kconfig/conf.o
YACC scripts/kconfig/zconf.tab.c
LEX scripts/kconfig/zconf.lex.c
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf --syncconfig Kconfig
*
* Restart config...
*
*
* General setup
*
Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n
Local version - append to kernel release (LOCALVERSION) []
Automatically append version information to the version string (LOCALVERSION_AUTO) [N/y/?] n
Build ID Salt (BUILD_SALT) [4.19.0-67-amd64] 4.19.0-67-amd64
Kernel compression mode
1. Gzip (KERNEL_GZIP)
2. Bzip2 (KERNEL_BZIP2)
3. LZMA (KERNEL_LZMA)
> 4. XZ (KERNEL_XZ)
5. LZO (KERNEL_LZO)
6. LZ4 (KERNEL_LZ4)
choice[1-6?]: 4
Default hostname (DEFAULT_HOSTNAME) [(none)] (none)
Support for paging of anonymous memory (swap) (SWAP) [Y/n/?] y
System V IPC (SYSVIPC) [Y/n/?] y
POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y
Enable process_vm_readv/writev syscalls (CROSS_MEMORY_ATTACH) [Y/n/?] y
uselib syscall (USELIB) [N/y/?] n
Auditing support (AUDIT) [Y/?] y
Preemption Model
1. No Forced Preemption (Server) (PREEMPT_NONE)
> 2. Voluntary Kernel Preemption (Desktop) (PREEMPT_VOLUNTARY)
3. Preemptible Kernel (Low-Latency Desktop) (PREEMPT__LL) (NEW)
4. Preemptible Kernel (Basic RT) (PREEMPT_RTB) (NEW)
5. Fully Preemptible Kernel (RT) (PREEMPT_RT_FULL) (NEW)
choice[1-5?]:
Indeed.
And we need to use some trigger too. If he kernel source file is upgraded (security update by Debian), the kernel (and all modules) need to be rebuild too.
Maybe dpkg --force-all (or some more limited --force-something) parameter could do. Will try. Will also ask Debian mentors.
I hope not. A package is a good vehicle to get all the files in the right place and to cleanly remove these later on. It also integrates all with /etc/kernel/, dkms, initramfs, dracut, grub, dpkg triggers, what I am not even aware of and future changes.
I don’t get any prompts. Are you sure the config is at .config in the kernel source directory?
We can just copy/paste all that into our package. So users will just need to install hardened-vm-kernel and it will handle everything rather than needing to use wrappers or other things.
I don’t know if that is possible without using a package. For example to trigger DKMS, a new kernel package needs to be installed. It may be possible to reinvent all of this (call DKMS ourselfes) but the bigger the hack, the more likely it will have bugs.
question | with a package | without a package
What kernel version is installed? | Check kernel package version. | ?
How to remove that kernel? | apt purge… | ?
By not using a package many things get messy / lots of code duplication / bugs.
I can’t reproduce this. Exactly which of the config options does it prompt you about? Is it all of the ones you said or where some automatically selected?
I think we should sign all modules during build. After the build, we can sign lkrg, vbox guest additions etc. with scripts/sign-file, then we can destroy the private key with shred -zu in certs/ and enforce only signed module loading. This way, only signed modules can load, vbox won’t break and we don’t need to worry about a private key.
But even while the newer version of DKMS supports module singing, modules such as virtualbox do not make use of it. Automated module signing during kernel upgrade and module upgrade is still a non-trivial challenge.
When modules are upgraded, these need to be recompiled. This happens automatic by DKMS (but not yet with module signing). Therefore we cannot delete the signing key. But we could restrict signing key access with appaprmor-profile-everything.
That is about /sys/kernel/debug folder? Perhaps better to restrict that through security-misc (permission hardening) and/or apparmor-profile-everything? Why? Maybe same as this very post: kernel recompilation for better hardening - #139 by Patrick
But Travis CI is Ubuntu based. Not sure it is worth the effort making the CI build compatible with Ubuntu. Did run into some issues due to version differences (Linux 4.15 vs 4.19) but now fixed. I don’t know if there is a Debian buster based CI. Inquired just now: