Skip to content

rocodes/kernel-builder

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

kernel-builder

A small suite of tools to build a Linux kernel, optionally patched with grsecurity.

Getting started

Make sure you have docker installed. Then just run ./go.sh, which contains:

mkdir -p /tmp/kernels
docker run -it \
    -e GRSECURITY_USERNAME \
    -e GRSECURITY_PASSWORD \
    -e GRSECURITY=1 \
    -v /tmp/kernels:/output \
    quay.io/conorsch/kernel-builder

The script will look up the most recent stable Linux version from https://www.kernel.org and build that. Artifacts will be available in /tmp/kernels/ afterward.

Enabling grsecurity patches

You must have a grsecurity subscription in order to fetch the patches for use in building. Export your credentials:

export GRSECURITY_USERNAME=foo
export GRSECURITY_PASSWORD=bar
./go.sh

The resulting packages will used the patch set.

Including arbitrary patches

You can mount in any set of patches to be applied to the kernel source prior to building. Store the patches in a directory, then mount that directory into the container at /patches. The build script will loop over all files in that dir and apply each patch prior to building.

Using a custom kernel config

Since the build uses docker, the host machine's kernel and config are visible to the build environment, and will be included via make olddefconfig prior to building. If you wish to provide a different kernel config, mount the file at /config inside the container. It will be copied into place prior to building. Note that make olddefconfig will be run regardless to ensure the latest options have been applied.

Where on my files?

Check /tmp/kernels/ on the host machine. You can mount any directory to /output inside the container, and that's where the packages will be stored. By default, the build script attempts to save .deb packages and .tar.gz, the source tarball.

Rereferences

These configurations were developed by Freedom of the Press Foundation for use in all SecureDrop instances. Experienced sysadmins can leverage these roles to compile custom kernels for SecureDrop or non-SecureDrop projects.

The logic here is intended to supersede the legacy build logic at https://github.com/freedomofpress/ansible-role-grsecurity-build/.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 59.4%
  • Shell 30.3%
  • Dockerfile 10.3%