Signed kernel is also useful for verified boot (discussion), namely secure boot. But perhaps verified boot won’t rely on kernel signatures but rather checksums.
On the other hand, with apparmor-profile-everything manual modprobe by root user could be forbidden anyhow.
Which goes back to the discussion of disabling module load vs non-module load support.
At the moment not a blocker since:
- We’re not using signed kernel modules anyhow. Due to, see this very post: enforce kernel module software signature verification [module signing] / disallow kernel module loading by default - #23 by Patrick
- We’d have to integrate VirtualBox guest additions kernel module.
Both non-trivial. Not sure if realistic at all?
Alright, let’s assume compile on the user’s system. I like that. However, I don’t have a solution yet.
I started working on a script. Initially just to ease my workflow but such things often become the basis for deployed scripts.
#!/bin/bash
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -x
set -e
## TODO: This probably has to be converted to debian/control 'Build-Depends:'.
sudo apt-get --no-install-recommends --yes install linux-source build-essential libssl-dev libncurses-dev fakeroot libelf-dev
## TODO: Probably better using mktemp?
folder=~/kernel
mkdir -p "$folder"
pushd "$folder"
tar -xaf /usr/src/linux-source-4.19.tar.xz
popd
pushd "$folder"/linux-source-4.19/
xzcat /usr/src/linux-patch-4.19-rt.patch.xz | patch -p1
popd
## TODO: path to .config
cp ./.config "$folder"/linux-source-4.19/
#pushd "$folder"/linux-source-4.19/
## No more need....
#make menuconfig
#make deb-pkg
It would not be difficult for me to finish that script. Package it. Even run make deb-pkg the kernel during the postinst phase of installation script.
However, there is one blocker. The script would be run by apt/dpkg. The package creation would be happening during the installation of a pacakge while apt/dpkg is running. The result of that script would be Debian packages. The problem is, it is not possible to (sanely) possilble install a deb package while dpkg is already running. And it is already running.
A few years I invented GitHub - adrelanos/apt-during-apt: https://www.whonix.org/Impressum but it’s a giant hack. I don’t like it at all.
Somehow we’d need to install the packages after apt finished installing/upgrading hardened-vm-kernel.
How do we do that? Replace /usr/bin/apt and /usr/bin/apt-get with a wrapper? Not easy/clean since APT is already wrapped by uwt. And there are no stackable wrappers yet:
https://phabricator.whonix.org/T634
Utilize /usr/local/bin/? Ship /usr/local/bin/apt and /usr/local/bin/apt-get? Not clean. Also firejail is already using /usr/local/bin/ so that could set up for later conflicts.
Don’t wrap APT and tell users to use wapt /usr/bin/wapt (wrapped apt) instead? WAPT apt could be a wrapper to run APT normally but before and after APT any number of hooks could be run. One such hook could be “if hardened-vm-kernel created new packages, install these at the end”. Cleaner but also not great as we’d have to reach users to use WAPT rather than APT and constantly explain this.
Are you sure? make menuconfig creates other files too. To see for yourself: put the linux source folder under git version control before running make menuconfig. Delete .gitignore. Run make menuconfig. It creates other files inside the source folder too.