This is a quick 'howto' recompile a grsecurity patched kernel for Ubuntu servers (at the time of this writings the latest Ubuntu LTS is 10.04.2). This guide, with some modifications, might work (or fail miserably) for the latest kernels. But since I am running servers (web, mail, dns) I do not need any fancy kernel support for the latest video/audio features. I won't discuss any grsecurity or kernel configuration options here. I assume you know what you're doing.
Ingredients:
Preparation:
We are going to use the Ubuntu overlay during compilation since I have found this way to work 100% with a grsecurity patched kernel even when we have the root partition inside a virtual group. When I was not using this method I had random kernel panic attacks and fits of rage.
Make sure you have the tools of the trade:
# apt-get install build-essential libncurses5-dev kernel-package
Now you need to get the overlay (for lucid in my case):
# apt-get install git-core
# git clone git://kernel.ubuntu.com/ubuntu/ubuntu-lucid.git
The last step will take a while... when everything has downloaded we need to prepare the overlay:
# cp -a /usr/share/kernel-package ubuntu-package
# cp ubuntu-lucid/debian/control-scripts/{postinst,postrm,preinst,prerm} \
ubuntu-package/pkg/image/
# cp ubuntu-lucid/debian/control-scripts/headers-postinst \
ubuntu-package/pkg/headers/
OK! we are halfway there... ooooh oh, livin' on a prayer!
Now we need to get the grsecurity patch and, of course, the kernel. Just wget the patch and the kernel.
Patch the kernel:
# patch -p0 < grsecurity####.patch
Time to configure the kernel, cd into the kernel source directory and copy your kernel configuration here.
# cp -vi /boot/config-(uname -r) .config
Bring the config up-to-date with the kernel:
# yes "" | make oldconfig
Adapt the configuration to your system (the localmodconfig target is only available for kernels>=2.6.32)
# make localmodconfig
localmodconfig will use lsmod (and other things) in order to customize the kernel configuration to mirror the running system. Unfortunately, it will not work 100%. If, for example, you need USB support but you have not any USB device plugged in, localmodconfig might actually not select USB support for your kernel. So use it with care and after it has finished run:
# make menuconfig
And check that everything is OK for your system.
Now we are ready to cook our kernel! I assume that your kernel source directory resides together with your overlay directory.
# make-kpgk clean
# sed -rie 's/echo "\+"/#echo "\+"/' scripts/setlocalversion
# rm localversion-grsec
# make-kpkg --initrd --overlay-dir=../ubuntu-package \
kernel_image kernel_headers
kernel_image kernel_headers
You could add --append-to-version=-grsec to the last command in order to personalize the kernel version :) (or just do not remove localversion-grsec.)
When the compilation has finished you will find a couple of .deb packages where the kernel source directory resides.
# cd .. && ls -l *.deb
linux-headers-2.6.32-grsec_2.6.32-grsec-10.00.Custom_amd64.deb
linux-image-2.6.32-grsec_2.6.32-grsec-10.00.Custom_amd64.deb
Package names may vary of course.
Install the packages :
# dpkg -i *.deb
This will create a initrd image for us (thanks to our overlay trick.)
Now here is a trick I use before rebooting into a new kernel...
# vi /etc/default/grub
Comment out GRUB_HIDDEN_TIMEOUT and change GRUB_TIMEOUT to something like 15 or 20 seconds. This way the grub menu will always display for 15/20 seconds upon reboot... this is useful if the new kernel craps out. We can easily reboot into a working kernel without much trouble because we have plenty of time to choose one from the menu.
... reboot:
# shutdown -r now
Bon Appetit! Enjoy your grsecurity patched kernel (or maybe not :D)
---
Useful links:
grsecurity wiki
Ubuntu Kernel Compile (official)
Another Kernel Compile Guide
---
No comments:
Post a Comment