Linux kernel maintenance
We build and publish our own Linux kernels with additional grsecurity hardening patches. This process is automated in the kernel-builder repository.
Follow the instructions in kernel-builder for building and uploading new kernel packages.
Once the new packages have been reviewed and merged in the securedrop-apt-test repository, they will be automatically tested on the hardware we maintain in our kernel test farm.
Wait for
sdcibot
to file aNew Linux kernel
ticket (example) in the securedrop repository with its test results.The packages can then be promoted to securedrop-apt-prod.
Testing a new kernel manually
These are the steps sdcibot
performs in its automatic testing of new
kernel packages on all of our recommended hardware:
Install the new kernel packages on your Monitor Server using unattended-upgrades, e.g.
sudo apt update && sudo unattended-upgrades --debug
or wait for the automatic nightly upgrade.Reboot. Verify with
uname -r
that you are using the new kernel.If it doesn’t boot, see the Troubleshooting Kernel Updates documentation.
Install the
paxtest
package, run withsudo paxtest blackhat
, and verify it doesn’t return any new errors nor warnings.Install spectre-meltdown-checker and the
binutils
package, run withsudo ./meltdown-checker
, and verify it doesn’t return any errors nor warnings.Upgrade your Application Server to the new kernel and reboot.
You may optionally also:
Run basic smoke tests of SecureDrop by verifying you can send a submission and a journalist can reply.