Question
How do I get a grsecurity-patched kernel working? It fails to boot.
Hello,
I’m trying to compile a Linux kernel with a grsecurity patch on Debian 10.3. The compilation works, the package installs, but upon trying to boot to it, it reboots as soon as it says “Booting from Hark Disk”.
I’m using the following kernel, which is a 4.9.74 patched with the last publicly-available grsecurity patch. Note that even though grsecurity went private, this isn’t piracy, as grsecurity is licensed under the GPL (and they violated the license by going private).
The sources for the kernel I’m compiling are here: https://github.com/minipli/linux-unofficial_grsec
Commands run:
$ sudo apt-get install build-essential linux-source bc kmod cpio flex cpio libncurses5-dev libssl-dev git libelf-dev binutils-dev gcc-8-plugin-dev paxtest paxctl
$ git clone --single-branch --branch=linux-4.9.x-unofficial_grsec git://github.com/minipli/linux-unofficial_grsec.git
$ cd linux-unofficial_grsec
$ cp /boot/config-4.19.0-8-cloud-amd64 ./.config
$ make menuconfig
I then configured it as needed. .config file is available here:
https://pastebin.com/81GMuR9U
I had to do a few fixes to get it to compile, using the following information:
https://github.com/torvalds/linux/commit/ad343a98e74e85aa91d844310e797f96fee6983b
https://lore.kernel.org/patchwork/patch/934722/
https://unix.stackexchange.com/questions/293642/attempting-to-compile-kernel-yields-a-certification-error
I then compiled with this command:
$ make deb-pkg
After compilation, I then installed the .deb files with dpkg -i.
I then attached a kvm console to the droplet and rebooted it. I chose the new kernel in the grub menu and it wouldn’t boot. It tries to load the kernel and sayd “Booting from Hark Disk” and then reboots back to the grub menu without any visible error messages.
Any suggestions? I need grsecurity as part of my server hardening strategy and am really bothered that I’m running without grsecurity. Hope someone can help.