Linux kernel maintenance

We build and publish our own Linux kernels with additional grsecurity hardening patches. The kernel-builder repository contains scripts that fetch upstream kernel tarballs plus grsecurity patches and produces Debian packages.

Testing a new kernel

The following steps should be performed for all of the recommended hardware:

  1. Install the new kernel packages on your Monitor Server using unattended-upgrades, e.g. sudo apt update && sudo unattended-upgrades --debug or wait for the automatic nightly upgrade.

  2. Reboot. Verify with uname -r that you are using the new kernel.

  3. If it doesn’t boot, see the Troubleshooting Kernel Updates documentation.

  4. Install the paxtest package, run with sudo paxtest blackhat, and verify it doesn’t return any new errors nor warnings.

  5. Install spectre-meltdown-checker and the binutils package, run with sudo ./meltdown-checker, and verify it doesn’t return any errors nor warnings.

  6. Upgrade your Application Server to the new kernel and reboot.

  7. Run basic smoke tests of SecureDrop by verifying you can send a submission and a journalist can reply.