I have studied the issues related with the latest very questionable changes in FOSS Linux very dedicatedly in recent weeks, and am linking the latest article of mine here because the systemd and other poetteringware changes by design can/could only have adverse if not threatening influence on grsecurity, which is the way to go for anyone aware of privacy issues in our big-brotherly time.
Therefore this Tips page on installing grsecurity-hardened kernel in Debian could be starting to be put in question as well.
These new links I tried and they worked fine just hours ago, and they have been consistent as I posted them and edited them in these couple of days eversince my initial posting of them:
Why is Gentoo not switching to systemd?
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624042
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624044
(in the #7624044, the second of the above, is the main read)
Somewhat long that read is, however you should find it revealing and facts and deductions there striking hard where due.
Why do I go about consistency of the article that should open to you buried in the 13th page of a huge discussion on Gentoo Forums?
I'll try and explain that in today's post of this very topic you are reading:
http://forums.debian.net/viewtopic.php? ... 40#p554940
. Only vis major (Latin) can prevent me from explaning, such as "problems" with my internet connection:
EDIT END 2014-09-30
--
EDIT START Tue Apr 15 18:58:29 BST 2014
This is currently the latest edit, meaning the latest few lines, these on the very top currently, of all of the entire topic on Tue Apr 15.
I am running out of space on the server hosting CroatiaFidelis.hr
where for that reason I'll delete old Debian Grsec-patched kernel packages.
That means deleting those packages that anyway wouldn't be the best option for installing, since better newer packages have replaced them.
This note in the adequate way will apply in all later cases. Users lose nothing really.
Thanks.
EDIT END
WARNING: Advanced users, pls allow for some verbosity in pastes. I know I needed a little spoonfeeding back when I was a GNU/Linux newbie. Pls. suffer newbies to more easily reach the information that I am offering here.
EDIT START
Thu Oct 31 17:27:01 UTC 2013
This article is another attempt of mine to point other users, esp. newbies, in the right direction. Out of plain gratitude towards Spender and Pax Team, without whose two pack of programs my Debian machines would have been hacked with irreparable damage (data stolen and such) The last defence by Grsecurity/Pax against bruteforce attack on my machine can be read about here:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3841
EDIT END
Lots of the following is simply pastes. Actual today's command line input and output of mine.
For amd64 arch it may really be possible that you reuse my lines often with little or no modifications, today and a few more days ahead, but of course, versions will soon be replaced.
Newbies, pls. distinguish commands from the output. Simple: all the commands are on the one line after the prompt (unless, but I don't think we have any here, the end of line is a '\'). All is left here so you can compare what you are trying to do with this successful (or not, but it's indicated when it wasn't) download/patch/installation etc. commands.
Still: pls. first read all you can find of explanation/documentation starting from:
http://www.grsecurity.net
and then come back and follow this guide (but make sure you replace the versions for the current ones, if you are reading this days/months ahead from now).
You have been warned!
Code: Select all
me@mybox:/some-dir/download-dir$ wget -nc https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch
--2013-10-29 13:06:08-- https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch
Resolving grsecurity.net (grsecurity.net)... 173.10.160.233
Connecting to grsecurity.net (grsecurity.net)|173.10.160.233|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3738234 (3.6M) [text/plain]
Saving to: ‘grsecurity-2.9.1-3.11.6-201310271552.patch’
100%[=======================================================>] 3,738,234 626KB/s in 6.3s
2013-10-29 13:06:16 (580 KB/s) - ‘grsecurity-2.9.1-3.11.6-201310271552.patch’ saved [3738234/3738234]
me@mybox:/some-dir/download-dir$ wget -nc https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch.sig
--2013-10-29 13:08:09-- https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch.sig
Resolving grsecurity.net (grsecurity.net)... 173.10.160.233
Connecting to grsecurity.net (grsecurity.net)|173.10.160.233|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 72 [text/plain]
Saving to: ‘grsecurity-2.9.1-3.11.6-201310271552.patch.sig’
100%[=======================================================>] 72 --.-K/s in 0s
2013-10-29 13:08:19 (823 KB/s) - ‘grsecurity-2.9.1-3.11.6-201310271552.patch.sig’ saved [72/72]
me@mybox:/some-dir/download-dir$ wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.xz
--2013-10-29 13:06:53-- https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.xz
Resolving www.kernel.org (www.kernel.org)... 198.145.20.140, 149.20.4.69
Connecting to www.kernel.org (www.kernel.org)|198.145.20.140|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 75095360 (72M) [application/x-xz]
Saving to: ‘linux-3.11.6.tar.xz’
100%[=======================================================>] 75,095,360 608KB/s in 2m 0s
2013-10-29 13:08:56 (612 KB/s) - ‘linux-3.11.6.tar.xz’ saved [75095360/75095360]
me@mybox:/some-dir/download-dir$ wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.sign
--2013-10-29 13:07:18-- https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.sign
Resolving www.kernel.org (www.kernel.org)... 198.145.20.140, 149.20.4.69
Connecting to www.kernel.org (www.kernel.org)|198.145.20.140|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 836 [application/pgp-signature]
Saving to: ‘linux-3.11.6.tar.sign’
100%[=======================================================>] 836 --.-K/s in 0s
2013-10-29 13:07:30 (13.9 MB/s) - ‘linux-3.11.6.tar.sign’ saved [836/836]
me@mybox:/some-dir/download-dir$ ls -l *3.11.6*
-rw-r--r-- 1 mr mr 3738234 Oct 27 19:53 grsecurity-2.9.1-3.11.6-201310271552.patch
-rw-r--r-- 1 mr mr 72 Oct 27 19:54 grsecurity-2.9.1-3.11.6-201310271552.patch.sig
-rw-r--r-- 1 mr mr 836 Oct 18 18:27 linux-3.11.6.tar.sign
-rw-r--r-- 1 mr mr 73928040 Oct 29 13:08 linux-3.11.6.tar.xz
me@mybox:/some-dir/download-dir$ gpg --verify grsecurity-2.9.1-3.11.6-201310271552.patch.sig
gpg: Signature made Sun 27 Oct 2013 07:54:01 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500 E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ gpg --verify gradm-2.9.1-201309161709.tar.gz.sig
gpg: Signature made Mon 16 Sep 2013 09:10:02 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500 E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ xz
xz xzcat xzcmp xzdiff xzegrep xzfgrep xzgrep xzless xzmore
# filename after 'linux-3.11.'
Code: Select all
me@mybox:/some-dir/download-dir$ xz linux-3.11.
linux-3.11.3.tar linux-3.11.3.tar.sign linux-3.11.6.tar.sign
# This is the actual command
Code: Select all
me@mybox:/some-dir/download-dir$ unxz linux-3.11.6.tar.xz
me@mybox:/some-dir/download-dir$ gpg --verify linux-3.11.6.tar.sign
gpg: Signature made Fri 18 Oct 2013 06:24:39 PM UTC using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
me@mybox:/some-dir/download-dir$ gpg --verify grsecurity-2.9.1-3.11.6-201310271552.patch.sig
gpg: Signature made Sun 27 Oct 2013 07:54:01 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500 E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ gpg --verify gradm-2.9.1-201309161709.tar.gz.sig
gpg: Signature made Mon 16 Sep 2013 09:10:02 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500 E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ xz
xz xzcat xzcmp xzdiff xzegrep xzfgrep xzgrep xzless xzmore
me@mybox:/some-dir/download-dir$ xz linux-3.11.
linux-3.11.3.tar linux-3.11.3.tar.sign linux-3.11.6.tar.sign
me@mybox:/some-dir/download-dir$ unxz linux-3.11.6.tar.xz
me@mybox:/some-dir/download-dir$ gpg --verify linux-3.11.6.tar.sign
gpg: Signature made Fri 18 Oct 2013 06:24:39 PM UTC using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
Code: Select all
me@mybox:/some-dir/src$ tar tvf ../download-dir/linux-3.11.6.tar
drwxrwxr-x root/root 0 2013-10-18 18:24 linux-3.11.6/
-rw-rw-r-- root/root 1097 2013-10-18 18:24 linux-3.11.6/.gitignore
-rw-rw-r-- root/root 4465 2013-10-18 18:24 linux-3.11.6/.mailmap
-rw-rw-r-- root/root 18693 2013-10-18 18:24 linux-3.11.6/COPYING
-rw-rw-r-- root/root 95317 2013-10-18 18:24 linux-3.11.6/CREDITS
drwxrwxr-x root/root 0 2013-10-18 18:24 linux-3.11.6/Documentation/
-rw-rw-r-- root/root 107 2013-10-18 18:24 linux-3.11.6/Documentation/.gitignore
-rw-rw-r-- root/root 16957 2013-10-18 18:24 linux-3.11.6/Documentation/00-INDEX
drwxrwxr-x root/root 0 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/
-rw-rw-r-- root/root 3284 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/README
drwxrwxr-x root/root 0 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/
-rw-rw-r-- root/root 248 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/proc-sys-vm-nr_pdflush_threads
-rw-rw-r-- root/root 1296 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-bus-usb
-rw-rw-r-- root/root 1063 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-class-rfkill
-rw-rw-r-- root/root 2820 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-koneplus
-rw-rw-r-- root/root 3657 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-kovaplus
-rw-rw-r-- root/root 3767 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-pyra
drwxrwxr-x root/root 0 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/removed/
-rw-rw-r-- root
...[snip]...
Code: Select all
me@mybox:/some-dir/src$ tar xvf ../download-dir/linux-3.11.6.tar
linux-3.11.6/
linux-3.11.6/.gitignore
linux-3.11.6/.mailmap
linux-3.11.6/COPYING
linux-3.11.6/CREDITS
linux-3.11.6/Documentation/
linux-3.11.6/Documentation/.gitignore
linux-3.11.6/Documentation/00-INDEX
linux-3.11.6/Documentation/ABI/
linux-3.11.6/Documentation/ABI/README
linux-3.11.6/Documentation/ABI/obsolete/
linux-3.11.6/Documentation/ABI/obsolete/proc-sys-vm-nr_pdflush_threads
linux-3.11.6/Documentation/ABI/obsolete/sysfs-bus-usb
linux-3.11.6/Documentation/ABI/obsolete/sysfs-class-rfkill
linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-koneplus
linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-kovaplus
linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-pyra
linux-3.11.6/Documentation/ABI/removed/
linux-3.11.6/Doc
...[snip]...
Code: Select all
me@mybox:/some-dir/src$ ls -l
total 4
drwxr-xr-x 23 mr mr 4096 Oct 18 18:24 linux-3.11.6
me@mybox:/some-dir/src$ ls -l linux-3.11.6/
total 548
drwxr-xr-x 32 mr mr 4096 Oct 18 18:24 arch
drwxr-xr-x 3 mr mr 4096 Oct 18 18:24 block
-rw-r--r-- 1 mr mr 18693 Oct 18 18:24 COPYING
-rw-r--r-- 1 mr mr 95317 Oct 18 18:24 CREDITS
drwxr-xr-x 4 mr mr 4096 Oct 18 18:24 crypto
drwxr-xr-x 101 mr mr 12288 Oct 18 18:24 Documentation
drwxr-xr-x 112 mr mr 4096 Oct 18 18:24 drivers
drwxr-xr-x 36 mr mr 4096 Oct 18 18:24 firmware
drwxr-xr-x 73 mr mr 4096 Oct 18 18:24 fs
drwxr-xr-x 27 mr mr 4096 Oct 18 18:24 include
drwxr-xr-x 2 mr mr 4096 Oct 18 18:24 init
drwxr-xr-x 2 mr mr 4096 Oct 18 18:24 ipc
-rw-r--r-- 1 mr mr 2536 Oct 18 18:24 Kbuild
-rw-r--r-- 1 mr mr 252 Oct 18 18:24 Kconfig
drwxr-xr-x 12 mr mr 4096 Oct 18 18:24 kernel
drwxr-xr-x 11 mr mr 4096 Oct 18 18:24 lib
-rw-r--r-- 1 mr mr 260046 Oct 18 18:24 MAINTAINERS
-rw-r--r-- 1 mr mr 48517 Oct 18 18:24 Makefile
drwxr-xr-x 2 mr mr 4096 Oct 18 18:24 mm
drwxr-xr-x 56 mr mr 4096 Oct 18 18:24 net
-rw-r--r-- 1 mr mr 18736 Oct 18 18:24 README
-rw-r--r-- 1 mr mr 7485 Oct 18 18:24 REPORTING-BUGS
drwxr-xr-x 12 mr mr 4096 Oct 18 18:24 samples
drwxr-xr-x 13 mr mr 4096 Oct 18 18:24 scripts
drwxr-xr-x 9 mr mr 4096 Oct 18 18:24 security
drwxr-xr-x 22 mr mr 4096 Oct 18 18:24 sound
drwxr-xr-x 17 mr mr 4096 Oct 18 18:24 tools
drwxr-xr-x 2 mr mr 4096 Oct 18 18:24 usr
drwxr-xr-x 3 mr mr 4096 Oct 18 18:24 virt
Code: Select all
me@mybox:/some-dir/src$ cp -aiv ../download-dir/grsecurity-2.9.1-3.11.6-201310271552.patch .
‘../download-dir/grsecurity-2.9.1-3.11.6-201310271552.patch’ -> ‘./grsecurity-2.9.1-3.11.6-201310271552.patch’
me@mybox:/some-dir/src$ ls -l
total 3656
-rw-r--r-- 1 mr mr 3738234 Oct 27 19:53 grsecurity-2.9.1-3.11.6-201310271552.patch
drwxr-xr-x 23 mr mr 4096 Oct 18 18:24 linux-3.11.6
me@mybox:/some-dir/src$ cd linux-3.11.6/
me@mybox:/some-dir/src/linux-3.11.6$ patch -p1 < ../grsecurity-2.9.1-3.11.6-201310271552.patch
patching file Documentation/dontdiff
patching file Documentation/kernel-parameters.txt
patching file Makefile
patching file arch/alpha/include/asm/atomic.h
patching file arch/alpha/include/asm/cache.h
patching file arch/alpha/include/asm/elf.h
patching file arch/alpha/include/asm/pgalloc.h
patching file arch/alpha/include/asm/pgtable.h
patching file arch/alpha/kernel/module.c
patching file arch/alpha/kernel/osf_sys.c
patching file arch/alpha/mm/fault.c
patching file arch/arm/Kconfig
patching file arch/arm/include/asm/atomic.h
patching file arch/arm/include/asm/cache.h
patching file arch/arm/include/asm/cacheflush.h
patching file arch/arm/include/asm/checksum.h
patching file arch/arm/include/asm/cmpxchg.h
patching file arch/arm/include/asm/domain.h
patching file arch/arm/include/asm/elf.h
patching file arch/arm/include/asm/fncpy.h
patching file arch/arm/include/asm/futex.h
patching file arch/arm/include/asm/kmap_types.h
patching file arch/arm/include/asm/mach/dma.h
patching file arch/arm/include/asm/mach/map.h
patching file arch/arm/include/asm/outercache.h
patching file arch/arm/include/asm/page.h
...[snip]...
patching file tools/gcc/constify_plugin.c
patching file tools/gcc/generate_size_overflow_hash.sh
patching file tools/gcc/kallocstat_plugin.c
patching file tools/gcc/kernexec_plugin.c
patching file tools/gcc/latent_entropy_plugin.c
patching file tools/gcc/size_overflow_hash.data
patching file tools/gcc/size_overflow_plugin.c
patching file tools/gcc/stackleak_plugin.c
patching file tools/gcc/structleak_plugin.c
patching file tools/lib/lk/Makefile
patching file tools/perf/util/include/asm/alternative-asm.h
patching file tools/perf/util/include/linux/compiler.h
patching file virt/kvm/kvm_main.c
me@mybox:/some-dir/src/linux-3.11.6$
## We now have Grsec/Pax patched kernel ###
####################################################
Part 2 is to follow.