Linux Kernel Runtime Guard (LKRG) - Linux Kernel Runtime Integrity Checking and Exploit Detection

Different command. p_lkrg. (I didn’t invent the p_. Upstream did.) But probably just a mistake. Not the reason.

So you had kernels 4.19.0 and 4.19.122 installed. The latter, the newer kernel version 4.19.122 was loaded. Kernel module was build for 4.19.122 only. Right?

I wonder how/if this can be fixed. See the DKMS file,debian/lkrg-dkms.dkms.

Then feel free to compare with this with other DKMS files.


sudo dkms status

Also interesting:


sudo sh -x /var/lib/dpkg/info/lkrg-dkms.postinst configure

Reveals what is required to debug further:

sudo sh -x /usr/lib/dkms/common.postinst lkrg 0.8.1 /usr/share/lkrg-dkms

The latter shows how list of kernels is generated. (Runs as root.)

KERNELS=$(ls /lib/modules/ 2>/dev/null || true)

Try this command.

sudo ls /lib/modules/

Perhaps apparmor-profile-everything or other issue which messes up setting of KERNELS? xtrace of /usr/lib/dkms/common.postinst might reveal that.

For me it builds modules for all installed kernel versions. I guess that is the default.

Dunno if DKMS in Debian only works for APT installed kernels but we’re already talking only about APT installed kernels here.


## Automatic installation and upgrade for all installed kernels (if set to a
## non-null value)
# autoinstall_all_kernels=""

Quote Bug #1844805 “virtualbox, virtualbox-dkms, virtualbox-qt fail du...” : Bugs : ubuntu-release-upgrader package : Ubuntu

I see there’s one caveat, the autoinstall_all_kernels variable in /etc/dkms/framework.conf can be set to build for all installed kernels, not just the current and newest. But the default is to build only for current and newest.

1 Like

They’re interchangeable and neither work on the second kernel while both work on the first.


I compiled hardened-kernel manually and installed it via dpkg -i. I don’t think that would be classified as an “APT installed kernel”. hardened-kernel is the 4.19.122 one.



fixed it.

1 Like
1 Like

v0.9.0 was released.

But not signed as previous releases. Perhaps because release this time was made by Solar Designer, not Adam.

Waiting for reply before pushing upgrade.

v.0.9.1 was released.

Debian packaging that was merged upstream unfortunately “broke” [1] virtualization host software support.

[1] Not a real regression since upstream never merged Debian packaging beforehand.

LKRG 0.9.1 is now available in Whonix testers repository.

Linux Kernel Runtime Guard (LKRG) for Debian, Whonix, Qubes, Kicksecure ™ was also updated.

LKRG 0.9.2 was uploaded to the testers repository just now.

Now in all repositories.

LKRG 0.9.3 now in testers repository.

Linux 6.1 removes get_random_int, see github/lkrg issue 233
This was fixed for 0.9.6 with patch github/lkrg commit 2241a322316be645eb51b12bc530554bd96a77b6

LKRG 0.9.6 now in testers repository.

After some research it appears that while yes LKRG does provide good integrity, it it’s self does increase attack surface and some people raised some concerns over it.

news, see this link for more information:
LKRG Deprecation in Kicksecure

1 Like