A small suite of tools to build a Linux kernel, optionally patched with grsecurity.
Make sure you have docker installed. Then just run ./go.sh, which contains:
mkdir -p /tmp/kernels
docker run -it \
-e GRSECURITY_USERNAME \
-e GRSECURITY_PASSWORD \
-e GRSECURITY=1 \
-v /tmp/kernels:/output \
quay.io/conorsch/kernel-builder
The script will look up the most recent stable Linux version from https://www.kernel.org
and build that. Artifacts will be available in /tmp/kernels/ afterward.
You must have a grsecurity subscription in order to fetch the patches for use in building. Export your credentials:
export GRSECURITY_USERNAME=foo
export GRSECURITY_PASSWORD=bar
./go.sh
The resulting packages will used the patch set.
You can mount in any set of patches to be applied to the kernel
source prior to building. Store the patches in a directory,
then mount that directory into the container at /patches.
The build script will loop over all files in that dir and apply each
patch prior to building.
Since the build uses docker, the host machine's kernel and config are visible
to the build environment, and will be included via make olddefconfig prior
to building. If you wish to provide a different kernel config, mount the file
at /config inside the container. It will be copied into place prior to building.
Note that make olddefconfig will be run regardless to ensure the latest
options have been applied.
Check /tmp/kernels/ on the host machine. You can mount any directory to /output
inside the container, and that's where the packages will be stored. By default,
the build script attempts to save .deb packages and .tar.gz, the source tarball.
These configurations were developed by Freedom of the Press Foundation for use in all SecureDrop instances. Experienced sysadmins can leverage these roles to compile custom kernels for SecureDrop or non-SecureDrop projects.
The logic here is intended to supersede the legacy build logic at https://github.com/freedomofpress/ansible-role-grsecurity-build/.