Linux kernel maintenance

We build and publish our own Linux kernels with additional grsecurity hardening patches. This process is automated in the kernel-builder repository.

1. Follow the instructions in kernel-builder for building and uploading new kernel packages.

2. Once the new packages have been reviewed and merged in the securedrop-apt-test repository, they will be automatically tested on the hardware we maintain in our kernel test farm.

3. Wait for sdcibot to file a New Linux kernel ticket (example) in the securedrop repository with its test results.

4. The packages can then be promoted to securedrop-apt-prod.

Testing a new kernel manually

These are the steps sdcibot performs in its automatic testing of new kernel packages on all of our recommended hardware:

1. Install the new kernel packages on your Monitor Server using unattended-upgrades, e.g. sudo apt update && sudo unattended-upgrades --debug or wait for the automatic nightly upgrade.

2. Reboot. Verify with uname -r that you are using the new kernel.

3. If it doesn’t boot, see the Troubleshooting Kernel Updates documentation.

4. Install the paxtest package, run with sudo paxtest blackhat, and verify it doesn’t return any new errors nor warnings.

5. Install spectre-meltdown-checker and the binutils package, run with sudo ./meltdown-checker, and verify it doesn’t return any errors nor warnings.

6. Upgrade your Application Server to the new kernel and reboot.

You may optionally also:

7. Run basic smoke tests of SecureDrop by verifying you can send a submission and a journalist can reply.