Linux kernel maintenance

We build and publish our own Linux kernels with additional grsecurity hardening patches. The kernel-builder repository contains scripts that fetch upstream kernel tarballs plus grsecurity patches and produces Debian packages.

Testing a new kernel

The following steps should be performed for all of the recommended hardware:

  1. Install the new kernel packages on your Monitor Server, then reboot. Verify with uname -r that you are using the new kernel.

  2. If it doesn’t boot, see the Troubleshooting Kernel Updates documentation.

  3. Verify paxtest doesn’t return any errors nor warnings.

  4. Verify the spectre-meltdown-checker doesn’t return any errors nor warnings.

  5. Upgrade your Application Server to the new kernel and reboot.

  6. Run basic smoke tests of SecureDrop by verifying you can send a submission and a journalist can reply.