Skip to content

Commit

Permalink
Update README
Browse files Browse the repository at this point in the history
  • Loading branch information
legoktm committed Apr 17, 2024
1 parent 04a6a4b commit 0594be8
Showing 1 changed file with 32 additions and 28 deletions.
60 changes: 32 additions & 28 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,18 @@
# kernel-builder

A small suite of tools to build a Linux kernel, optionally patched with [grsecurity].
A suite of tools to build a Debian-packaged Linux kernel, optionally patched with [grsecurity]
for the [SecureDrop](https://securedrop.org/) project.

## Getting started
## Prerequistes

Make sure you have docker installed. Then just run `make`.
The script will look up the most recent stable Linux version from https://www.kernel.org
and build that. Artifacts will be available in `./build/` afterward.
* Docker
* GNU make

## Using

Select which config flavor you want to build and run `make <config>`. The script will
automatically fetch the most recent Linux version for that flavor, patch if necessary,
and leave built packages in `./build/`.

## Enabling grsecurity patches

Expand All @@ -17,22 +23,13 @@ Export your credentials:
export GRSECURITY_USERNAME=foo
export GRSECURITY_PASSWORD=bar
export GRSECURITY=1
make
make <config>
```

The resulting packages will used the patch set. If you're working on SecureDrop,
The resulting packages will use the grsecurity patch set. If you're working on SecureDrop,
request these credentials from a team member, and store them securely
in your password manager.

## Using a custom kernel config

Since the build uses docker, the host machine's kernel and config are visible
to the build environment, and will be included via `make olddefconfig` prior
to building. If you wish to provide a different kernel config, mount the file
at `/config` inside the container. It will be copied into place prior to building.
Note that `make olddefconfig` will be run regardless to ensure the latest
options have been applied.

## Building kernels in Qubes

Here's how to set up a build environment in [Qubes], suitable for use with [SecureDrop].
Expand Down Expand Up @@ -66,26 +63,33 @@ source ~/grsec-env # credentials for grsecurity access
make securedrop-workstation # to build Workstation kernels
# grab a coffee or tea, builds take ~1h with 4 cores.
sha256sum build/*
# then copy the terminal history from your emulator and store build log,
# e.g. via Edit->Select All in gnome-terminal
```

The build output will automatically be captured in a log file.

## Release

Development/staging packages are placed on apt-test.freedom.press for installation in Debian-based TemplateVMs, and production packages are placed on apt.freedom.press.
Packages are first placed on apt-test.freedom.press for [QA testing and validation](https://developers.securedrop.org/en/latest/kernel.html), and then promoted to apt.freedom.press.

⚠️ Before you add a package to one of our apt repos, you *must* upload the kernel source tarball to our S3 bucket following the instructions below.
⚠️ Before you add a package to one of our apt repos, you *must* upload the kernel source tarball internally following the instructions below.

1. Add a detached signature to the kernel source tarball using a staff (`*@freedom.press`) GPG key.
2. If you do not have an AWS account and you are a maintainer, ask someone from the infrastructure team to set one up for you. They will provide you with instructions on where and how your credentials should be stored in Qubes.
3. Now hop over to our private wiki page on how to use a script to upload the kernel source tarball to our S3 bucket and verify that your upload was successful. There, you'll also learn how to later respond to a source request email sent to `source-offer@freedom.press`.
4. Now you can submit a `securedrop-workstation-grsec` changelog PR in `securedrop-debian-packaging` and a .deb LFS PR to https://github.com/freedomofpress/securedrop-dev-packages-lfs, which another maintainer reviews and merges, thereby deploying the new packages to https://apt-test.freedom.press.
5. After QA, the same kernel packages on `apt-test` can be promoted to prod by submitting a .deb LFS PR to https://github.com/freedomofpress/securedrop-debian-packages-lfs.
2. Now hop over to our private wiki page on how to use a script to upload the kernel source tarball internally and verify that your upload was successful.
3. You can now propose your packages for inclusion in the `apt-test` repository.
4. After QA, the same kernel packages on `apt-test` can be promoted to prod.

## Architecture

This builds on the `make deb-pkg` command in Linux. The upstream command dynamically
generates a `debian/` directory and then executes it. Instead, we prepare and commit
the `debian/` directory so we can customize the packages and add in our metadata.
Our `debian/rules` is roughly the same as what would be generated, except it has some compat
to handle different versions. Future updates of major kernel versions may require adjusting
`debian/rules` if upstream has also made changes.

## Reproducible builds
In the spirit of [reproducible builds], this repo attempts to make fully reproducible
kernel images. There are some catches, however: a custom kernel patch is included
to munge the changelog timestamp, and certain kernel config options (notably
kernel images. There are some catches, however: certain kernel config options (notably
`CONFIG_GCC_PLUGIN_RANDSTRUCT` or `CONFIG_GRKERNSEC_RANDSTRUCT`) will prevent reproducibility.
For more info, see the [kernel docs on reproducibility].

Expand All @@ -107,10 +111,10 @@ SecureDrop kernels because of the above-mentioned randomization of struct fields

These configurations were developed by [Freedom of the Press Foundation] for
use in all [SecureDrop] instances. Experienced sysadmins can leverage these
roles to compile custom kernels for SecureDrop or non-SecureDrop projects.
scripts to compile custom kernels for SecureDrop or non-SecureDrop projects.

The logic here is intended to supersede the legacy build logic at
https://github.com/freedomofpress/ansible-role-grsecurity-build/.
https://github.com/freedomofpres s/ansible-role-grsecurity-build/.

[Freedom of the Press Foundation]: https://freedom.press
[SecureDrop]: https://securedrop.org
Expand Down

0 comments on commit 0594be8

Please sign in to comment.