$ wget http://grsecurity.net/test/grsecurity-2.9.1-3.5.2-201208151951.patch
$ wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.5.2.tar.gz
$ wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.5.2.tar.gz.sign
$ gpg --verify linux-3.5.2.tar.gz.sign linux-3.5.2.tar.gz
$ tar -xf linux-3.5.2.tar.gz
$ cd linux-3.5.2
$ patch -p1 ../grsecurity-2.9.1-3.5.2-201208151951.patch
$ sudo cp /boot/config-`uname -r`.config
$ make menuconfig
Make any changes to your kernel configuration and then save them. I have disabled loadable module support (not something I require on a server + the security considerations) and a couple of other features (NFS), even so the kernels Linode offer are pretty lean.
Under grsecurity I have enabled mostly all of the settings without any issues, read about those config options here. Depends on what your requirements are as to how suitable some of these options are.
How I had been compiling:
$ make-kpkg --rootcmd fakeroot kernel_image kernel_headers --initrd --revision=grsec.352
$ cd ..
$ sudo dpkg -i linux-headers-3.5.2-grsec_352_i386.deb linux-image-3.5.2-grsec_352_i386.deb
$ update-initramfs -c -k 3.5.2
Linode build notes:
$ make -j3 bzImage
$
$ make
$ make install
$
Check /boot/grub/menu.lst and add the new kernel if it's not there (it should be).
timeout 2
title kernel 3.5.2
root (hd0)
kernel /boot/vmlinuz-3.5.2-grsec root=/dev/xvda ro
initrd /boot/initrd.img-3.5.2-grsec
Restart the server and all going well it should boot up using the new kernel.
$ uname -a
Linux hostname 3.5.2-grsec #1 SMP Sun Aug 19 01:36:55 PDT 2012 i686 GNU/Linux
Updated: other brief relevant notes:
root (hd0)
kernel /boot/vmlinuz-3.5.2-grsec root=/dev/xvda ro
initrd /boot/initrd.img-3.5.2-grsec
Restart the server and all going well it should boot up using the new kernel.
$ uname -a
Linux hostname 3.5.2-grsec #1 SMP Sun Aug 19 01:36:55 PDT 2012 i686 GNU/Linux
Updated: other brief relevant notes:
- Add barrier=0 to your fstab file.
- To stop all the page allocation errors I was getting In sysctl.conf I had to add vm.min_free_kbytes = 5120
- If you get this error when booting:
close blk: backend at /local/domain/0/backend/vbd/6401/51712
Then disable "Sanitize kernel stack" in Grsecurity.
Problems with removing the kernel
If you have /var mounted with noexec then when you apt-get remove your-compiled-kern you will get an error message because the post-remove scripts will be unable execute.
If things get really broken you can remove your kernel this ugly way:
- manually delete the scripts which are stored in /var/lib/dpkg/info/
- remove the files for that particular kernel in /boot/ (remember to edit /boot/grub/menu.lst to reflect your changes)
- run: dpkg --purge linux-image-x
