How do I get a grsecurity-patched kernel working? It fails to boot.


I’m trying to compile a Linux kernel with a grsecurity patch on Debian 10.3. The compilation works, the package installs, but upon trying to boot to it, it reboots as soon as it says “Booting from Hark Disk”.

I’m using the following kernel, which is a 4.9.74 patched with the last publicly-available grsecurity patch. Note that even though grsecurity went private, this isn’t piracy, as grsecurity is licensed under the GPL (and they violated the license by going private).

The sources for the kernel I’m compiling are here:

Commands run:

$ sudo apt-get install build-essential linux-source bc kmod cpio flex cpio libncurses5-dev libssl-dev git libelf-dev binutils-dev gcc-8-plugin-dev paxtest paxctl
$ git clone --single-branch --branch=linux-4.9.x-unofficial_grsec git://
$ cd linux-unofficial_grsec
$ cp /boot/config-4.19.0-8-cloud-amd64 ./.config
$ make menuconfig

I then configured it as needed. .config file is available here:

I had to do a few fixes to get it to compile, using the following information:

I then compiled with this command: $ make deb-pkg

After compilation, I then installed the .deb files with dpkg -i.

I then attached a kvm console to the droplet and rebooted it. I chose the new kernel in the grub menu and it wouldn’t boot. It tries to load the kernel and sayd “Booting from Hark Disk” and then reboots back to the grub menu without any visible error messages.

Any suggestions? I need grsecurity as part of my server hardening strategy and am really bothered that I’m running without grsecurity. Hope someone can help.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer